[Pkg-javascript-devel] Bug#995291: bullseye-pu: package datatables.js/1.10.21+dfsg-2+deb11u1

Yadd yadd at debian.org
Wed Sep 29 09:27:21 BST 2021 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-devel at lists.alioth.debian.org

[ Reason ]
datatables.js is vulnerable to CVE-2021-23445: if an array is passed to
the HTML escape entities, it would not have its content escaped
(#995229)

[ Impact ]
Medium vulnerability

[ Tests ]
Sadly, no test for this package

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace array by joined string

Cheers,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 281d0fc..2431f60 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+datatables.js (1.10.21+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload.
+  * Fix: If an array was passed to the HTML escape entities function it would
+    not have its contents escaped (Closes: #995229, CVE-2021-23445)
+
+ -- Yadd <yadd at debian.org>  Wed, 29 Sep 2021 10:22:37 +0200
+
 datatables.js (1.10.21+dfsg-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2021-23445.patch b/debian/patches/CVE-2021-23445.patch
new file mode 100644
index 0000000..92683b9
--- /dev/null
+++ b/debian/patches/CVE-2021-23445.patch
@@ -0,0 +1,22 @@
+Description: Fix: If an array was passed to the HTML escape entities function it would not have its contents escaped
+ Many thanks to Alessio Della Libera of Snyk for finding and reporting this.
+Author: Allan Jardine <allan.jardine at sprymedia.co.uk>
+Origin: upstream, https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-23445
+Bug-Debian: https://bugs.debian.org/995229
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2021-09-29
+
+--- a/js/ext/ext.helpers.js
++++ b/js/ext/ext.helpers.js
+@@ -7,6 +7,9 @@
+  */
+ 
+ var __htmlEscapeEntities = function ( d ) {
++	if (Array.isArray(d)) {
++		d = d.join(',');
++	}
+ 	return typeof d === 'string' ?
+ 		d
+ 			.replace(/&/g, '&')
diff --git a/debian/patches/series b/debian/patches/series
index 0272ced..d3c69f7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 use_correct_closure_path
 disable_git
 use-tempdir-and-errexit.patch
+CVE-2021-23445.patch

More information about the Pkg-javascript-devel mailing list