[Pkg-javascript-devel] Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1
Xavier Guimard
yadd at debian.org
Sat Feb 29 08:10:51 GMT 2020
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
Hi,
dojo is vulnerable to Cross-site Scripting. This is due to
dojox.xmpp.util.xmlEncode only encoding the first occurrence of each
character, not all of them.
This upstream patch fixes this issue
Cheers,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 14447b52..0e5dc462 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Cleanup improper regex usage (Closes: #952771, 2019, 10785)
+
+ -- Xavier Guimard <yadd at debian.org> Sat, 29 Feb 2020 09:07:02 +0100
+
dojo (1.15.0+dfsg1-1) unstable; urgency=medium
* New upstream version :
diff --git a/debian/patches/CVE-2019-10785.patch b/debian/patches/CVE-2019-10785.patch
new file mode 100644
index 00000000..67ab40f2
--- /dev/null
+++ b/debian/patches/CVE-2019-10785.patch
@@ -0,0 +1,45 @@
+Description: Cleanup improper regex usage
+Author: Paul <paul at sitepen.com>
+Origin: upstream, https://github.com/dojo/dojox/pull/317
+Bug: https://github.com/dojo/dojox/pull/315
+Bug-Debian: https://bugs.debian.org/952771
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2020-02-29
+
+--- a/dojox/dtl/dom.js
++++ b/dojox/dtl/dom.js
+@@ -94,7 +94,7 @@ define([
+ var replacement = "";
+ for(var p = 2, pl = pair.length; p < pl; p++){
+ if(p == 2){
+- replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace('"', '\\"') + ' %}">';
++ replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace(/"/g, '\\"') + ' %}">';
+ }else if(tag == pair[p]) {
+ continue;
+ }else{
+--- a/dojox/widget/RollingList.js
++++ b/dojox/widget/RollingList.js
+@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList",
+ widgetItem.store = this.store;
+ widgetItem.item = item;
+ if(!widgetItem.label){
+- widgetItem.attr("label", this.store.getLabel(item).replace(/</,"<"));
++ widgetItem.attr("label", this.store.getLabel(item).replace(/</g,"<"));
+ }
+ if(widgetItem.focusNode){
+ var self = this;
+--- a/dojox/xmpp/util.js
++++ b/dojox/xmpp/util.js
+@@ -3,10 +3,7 @@ dojo.require("dojox.string.Builder");
+ dojo.require("dojox.encoding.base64");
+
+ dojox.xmpp.util.xmlEncode = function(str) {
+- if(str) {
+- str = str.replace("&", "&").replace(">", ">").replace("<", "<").replace("'", "'").replace('"', """);
+- }
+- return str;
++ return dojo.string.escape(str);
+ };
+
+ dojox.xmpp.util.encodeJid = function(jid) {
diff --git a/debian/patches/series b/debian/patches/series
index f39e7f29..6051ed59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0001-Compatibility-patch-for-newer-rhino.patch
0002-Do-notrun-test-suite-in-build.patch
0003-Disable-flash-storage.patch
+#CVE-2019-10785.patch
More information about the Pkg-javascript-devel
mailing list