[Pkg-javascript-devel] Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4

Wed May 31 13:49:37 BST 2023

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: jquery-minicolors at packages.debian.org
Control: affects -1 + src:jquery-minicolors

Please unblock package jquery-minicolors

[ Reason ]
jquery-minicolor is vulnerable to a cross-site scripting
(CVE-2021-32850)

[ Impact ]
Low security issue

[ Tests ]
No test here

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock jquery-minicolors/2.3.5+dfsg-4
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 1e959f0..dcf5b2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Fix cross-site scripting issue (Closes: CVE-2021-32850)
+
+ -- Yadd <yadd at debian.org>  Wed, 31 May 2023 16:44:37 +0400
+
 jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 3dcf29b..66693e1 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian JavaScript Maintainers <pkg-javascript-devel at lists.alioth.debian.org>
 Uploaders: Yadd <yadd at debian.org>
 Build-Depends: debhelper-compat (= 13), uglifyjs
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
 Homepage: https://github.com/jquery-minicolors
 Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git
 Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors
diff --git a/debian/patches/CVE-2021-32850.patch b/debian/patches/CVE-2021-32850.patch
new file mode 100644
index 0000000..5e54e6d
--- /dev/null
+++ b/debian/patches/CVE-2021-32850.patch
@@ -0,0 +1,21 @@
+Description: fix XSS vuln
+Author: Cory LaViska <cory at abeautifulsite.net>
+Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824
+Bug: https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/
+Forwarded: not-needed
+Applied-Upstream: 2.3.6, commit:ef134824
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-05-31
+
+--- a/jquery.minicolors.js
++++ b/jquery.minicolors.js
+@@ -226,7 +226,8 @@
+         }
+         swatchString = swatch;
+         swatch = isRgb(swatch) ? parseRgb(swatch, true) : hex2rgb(parseHex(swatch, true));
+-        $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color" title="' + name + '"></span></li>')
++        $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color"></span></li>')
++          .attr("title", name)
+           .appendTo(swatches)
+           .data('swatch-color', swatchString)
+           .find('.minicolors-swatch-color')
diff --git a/debian/patches/series b/debian/patches/series
index 7ba3ddc..b5c3525 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-local-CSS-and-JavaScript-in-examples.patch
+CVE-2021-32850.patch
