[Pkg-javascript-devel] Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

Yadd yadd at debian.org
Wed May 31 12:13:06 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: jqueryui at packages.debian.org
Control: affects -1 + src:jqueryui

[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)

[ Impact ]
Low security issue

[ Tests ]
Sadly tests are minimal in this package. Anyway passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't accept label outside of the root element

Cheers,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: CVE-2022-31160)
+
+ -- Yadd <yadd at debian.org>  Wed, 31 May 2023 15:08:55 +0400
+
 jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-31160.patch b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 0000000..11d7baa
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,156 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Micha? Go??biowski-Owczarek <m.goleb at gmail.com>
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
++++ b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ <label>
+ 	<input type="checkbox" id="label-with-no-for"/>
+ </label>
++<label>
++	<input type="checkbox" id="label-with-no-for-with-html"/>
++	<strong>Hi</strong>, <em>I'm a label</em>
++</label>
++<label>
++	<input type="checkbox" id="label-with-no-for-with-text"/>
++	Hi, I'm a label
++</label>
++<label>
++	<input type="checkbox" id="label-with-no-for-with-html-like-text"/>
++	<em>Hi, I'm a label</em>
++</label>
+ 
+ <form id="form3"></form>
+ <input type="radio" name="crazy-form" id="crazy-form-1" form="form3" checked="checked">
+--- a/tests/unit/checkboxradio/core.js
++++ b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+ 	);
+ } );
+ 
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++	var tests = [
++		{
++			id: "label-with-no-for-with-html",
++			expectedLabel: "<strong>Hi</strong>, <em>I'm a label</em>"
++		},
++		{
++			id: "label-with-no-for-with-text",
++			expectedLabel: "Hi, I'm a label"
++		},
++		{
++			id: "label-with-no-for-with-html-like-text",
++			expectedLabel: "<em>Hi, I'm a label</em>"
++		}
++	];
++
++	assert.expect( tests.length );
++
++	tests.forEach( function( testData ) {
++		var id = testData.id;
++		var expectedLabel = testData.expectedLabel;
++		var inputElem = $( "#" + id );
++		var labelElem = inputElem.parent();
++
++		inputElem.checkboxradio( { icon: false } );
++
++		var labelWithoutInput = labelElem.clone();
++		labelWithoutInput.find( "input" ).remove();
++
++		assert.strictEqual(
++			labelWithoutInput.html().trim(),
++			expectedLabel.trim(),
++			"Label correct [" + id + "]"
++		);
++	} );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
++++ b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+ 	assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" );
+ } );
+ 
++QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) {
++	var tests = [
++		{
++			id: "label-with-no-for-with-html",
++			expectedLabel: "<strong>Hi</strong>, <em>I'm a label</em>"
++		},
++		{
++			id: "label-with-no-for-with-text",
++			expectedLabel: "Hi, I'm a label"
++		},
++		{
++			id: "label-with-no-for-with-html-like-text",
++			expectedLabel: "<em>Hi, I'm a label</em>"
++		}
++	];
++
++	assert.expect( tests.length );
++
++	tests.forEach( function( testData ) {
++		var id = testData.id;
++		var expectedLabel = testData.expectedLabel;
++		var inputElem = $( "#" + id );
++		var labelElem = inputElem.parent();
++
++		inputElem.checkboxradio( { icon: false } );
++		inputElem.checkboxradio( "refresh" );
++
++		var labelWithoutInput = labelElem.clone();
++		labelWithoutInput.find( "input" ).remove();
++
++		assert.strictEqual(
++			labelWithoutInput.html().trim(),
++			expectedLabel.trim(),
++			"Label correct [" + id + "]"
++		);
++	} );
++} );
++
+ } );
+--- a/ui/widgets/checkboxradio.js
++++ b/ui/widgets/checkboxradio.js
+@@ -48,8 +48,7 @@
+ 	},
+ 
+ 	_getCreateOptions: function() {
+-		var disabled, labels;
+-		var that = this;
++		var disabled, labels, labelContents;
+ 		var options = this._super() || {};
+ 
+ 		// We read the type here, because it makes more sense to throw a element type error first,
+@@ -69,12 +68,18 @@
+ 
+ 		// We need to get the label text but this may also need to make sure it does not contain the
+ 		// input itself.
+-		this.label.contents().not( this.element[ 0 ] ).each( function() {
+-
+-			// The label contents could be text, html, or a mix. We concat each element to get a
+-			// string representation of the label, without the input as part of it.
+-			that.originalLabel += this.nodeType === 3 ? $( this ).text() : this.outerHTML;
+-		} );
++		// The label contents could be text, html, or a mix. We wrap all elements
++		// and read the wrapper's `innerHTML` to get a string representation of
++		// the label, without the input as part of it.
++		labelContents = this.label.contents().not( this.element[ 0 ] );
++
++		if ( labelContents.length ) {
++			this.originalLabel += labelContents
++				.clone()
++				.wrapAll( "<div></div>" )
++				.parent()
++				.html();
++		}
+ 
+ 		// Set the label option if we found label text
+ 		if ( this.originalLabel ) {
diff --git a/debian/patches/series b/debian/patches/series
index 71a6270..f06c833 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ use_system_files_in_examples.patch
 CVE-2021-41182.patch
 CVE-2021-41183.patch
 CVE-2021-41184.patch
+CVE-2022-31160.patch

More information about the Pkg-javascript-devel mailing list