From 2980b18bfd45cb88d294fcdef0b77ca724f61749 Mon Sep 17 00:00:00 2001
From: Francesco Colista <fcolista@alpinelinux.org>
Date: Thu, 4 Jul 2019 06:56:39 +0000
Subject: main/patchwork: security fix (CVE-2019-13122)

---
 main/patchwork/APKBUILD             | 12 +++++++++---
 main/patchwork/CVE-2019-13122.patch | 18 ++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 main/patchwork/CVE-2019-13122.patch

(limited to 'main')

diff --git a/main/patchwork/APKBUILD b/main/patchwork/APKBUILD
index 3b45b6004d..f9bed1ab60 100644
--- a/main/patchwork/APKBUILD
+++ b/main/patchwork/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Francesco Colista <fcolista@alpinelinux.org>
 pkgname=patchwork
 pkgver=1.1.3
-pkgrel=0
+pkgrel=1
 pkgdesc="Web-based patch tracking system"
 url="https://github.com/getpatchwork/patchwork"
 arch="noarch"
@@ -14,10 +14,15 @@ source="$pkgname-$pkgver.tar.gz::https://github.com/getpatchwork/$pkgname/archiv
 	0001-support-busybox-readlink.patch
 	0002-remove-uneeded-bashism-from-tools-and-change-path.patch
 	nginx-uwsgi-patchwork-conf.ini
-	nginx-patchwork.conf"
+	nginx-patchwork.conf
+	CVE-2019-13122.patch"
 
 builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   1.1.3-r1:
+#     - CVE-2019-13122
+
 build() {
 	cd "$builddir"
 	return 0
@@ -79,4 +84,5 @@ sha512sums="e718ce942781c64e672c7ce9df4362277df418ba2adb61d8b512bf11ffd275d675f9
 a5d4e24741b66092a39c1ef4fdc76dffa1ddf87a69544ab0c374fb0701b0f7340a62ead86835d9bb412df5713f3ea3c0218e9e2e0cd01d9a1aad9414a3cc75fa  0001-support-busybox-readlink.patch
 12d1b184c6cb1d3f2c51adab6b60638e4869e055e677897bb66ee1a52312e77817bec543842324e2cbc2c226f3ab9d11c3782b5ef3a6f5f5712996cadbc6c9c9  0002-remove-uneeded-bashism-from-tools-and-change-path.patch
 28911a25e00a254237f7214fb681e5e984a2eae331e610be62967d5e246958e0f8d3f84861d8fd17c1190c1df72a25f28ddb33843b3679a3864beb00cb4b4961  nginx-uwsgi-patchwork-conf.ini
-862dd2522236a0b18d2a8d06f1ad91ad0fd0936fa502d95e09556641e67d42e1212821bfd7fb98923e4fe8b8a7369ded8c23831fb496b1e2833d9831c1b23725  nginx-patchwork.conf"
+862dd2522236a0b18d2a8d06f1ad91ad0fd0936fa502d95e09556641e67d42e1212821bfd7fb98923e4fe8b8a7369ded8c23831fb496b1e2833d9831c1b23725  nginx-patchwork.conf
+9c8d7a6257259ec2467a5398fdfcad637aad61434427ab71588cca31432fdc060ec29ba1d35cd560b83e13ead9794d4a2e9435c75909ea7a86044734ec1aa5a8  CVE-2019-13122.patch"
diff --git a/main/patchwork/CVE-2019-13122.patch b/main/patchwork/CVE-2019-13122.patch
new file mode 100644
index 0000000000..3210c14cf1
--- /dev/null
+++ b/main/patchwork/CVE-2019-13122.patch
@@ -0,0 +1,18 @@
+diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py
+index c65bd5e..9a447bc 100644
+--- a/patchwork/templatetags/patch.py
++++ b/patchwork/templatetags/patch.py
+@@ -21,6 +21,7 @@
+ from __future__ import absolute_import
+ 
+ from django import template
++from django.utils.html import escape
+ from django.utils.safestring import mark_safe
+ from django.template.defaultfilters import stringfilter
+ 
+@@ -65,4 +66,4 @@ def state_class(state):
+ @register.filter
+ @stringfilter
+ def msgid(value):
+-    return mark_safe(value.strip('<>'))
++    return escape(value.strip('<>'))
-- 
cgit v1.2.3