upload dojo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
I've prepared security update for dojo. Please review and
upload. Debdiff is attached. Its a trivial patch to escape quotes.
Thanks
Abhijith PA
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluM38kACgkQhj1N8u2c
KO+pjQ/8D3qvrnlOKZUrZPZK7/4LNzTcegAhAe2ojW5gLagw2TbtTWxxcgYh3mTw
dR5WYQXLO9A83yrFHfTn2aLwufxFS5qXyQ8gDOw3bcjQFMqVFM3m3MUy6bFs82EW
UUS9i18a+HaTFB3bpMJZOiwtfSlIROueYSdl4k8LyMGSUqGwYB2xeYyNNjUuJ6yp
CmRPt4QXAdZmfeFolrJzshiBzuLsQVkeYoyBbzzRN0O8ra9iXKfg/hrVm7ChKsa9
bQkzgKVqSlb5kQviF1zlEkoOHVF8FBvxgPacO7gKdMFDlhrXGsvb5svp5vRtpYom
oQQ9ruWdBOKz9UtzrTnVYyhWEziYPYUv0iKhzG+fR+kVN8YEXGvvx09FUQ6tzEXu
jBHixdiGdJUPCAEwyj7RGG7+WXlXeONL0lgnKrUd0i2SFDjWLKyZGCIVnyN3XKzt
eUruY3j3kuO1TDhugmigzeM/0mxQWVWTq8YbmB1xf8/MifakRNRxhvYxrm7N5pdD
zeybMV/PVlxEl8TkWC5KmkGWAH/issM8LCOJFIgBAgCTGpWUOIlAJPUArp0evGYA
a/Rb9D4YzuRDPhles+qxTGCqKsGCgFVV2Q5oHrwxbAVxEC2Um9FFbLgH0LSPMgQA
vKrCMIIHL0m//Q65fLNI2RYeK7noJYM2Lm9VoPIsU1QmbkWhusQ=
=vMWk
-----END PGP SIGNATURE-----
diff -Nru dojo-1.10.2+dfsg/debian/changelog dojo-1.10.2+dfsg/debian/changelog
--- dojo-1.10.2+dfsg/debian/changelog 2014-10-20 18:38:48.000000000 +0200
+++ dojo-1.10.2+dfsg/debian/changelog 2018-09-03 08:47:12.000000000 +0200
@@ -1,3 +1,11 @@
+dojo (1.10.2+dfsg-1+deb8u1) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Team
+ * Fix CVE-2018-15494: unescaped string injection in dojox/Grid/DataGrid
+ (Closes: #906540)
+
+ -- Abhijith PA <abhijith@disroot.org> Mon, 03 Sep 2018 12:17:12 +0530
+
dojo (1.10.2+dfsg-1) unstable; urgency=medium
[ Colin Snover ]
diff -Nru dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch
--- dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch 1970-01-01 01:00:00.000000000 +0100
+++ dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch 2018-09-03 08:47:12.000000000 +0200
@@ -0,0 +1,22 @@
+Description: CVE-2018-15494
+ Escape the quotes to avoid injection in dojox/Grid/DataGrid.
+
+---
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/dojo/dojox/pull/283/files/e92ee87750af8fbc7e474bb8e8661821aa9f88fa
+Bug-Debian: https://bugs.debian.org/906540
+Last-Update: 2018-09-03
+
+--- dojo-1.10.2+dfsg.orig/dojox/grid/cells/_base.js
++++ dojo-1.10.2+dfsg/dojox/grid/cells/_base.js
+@@ -329,6 +329,10 @@ define([
+ keyFilter: null,
+ formatEditing: function(inDatum, inRowIndex){
+ this.needFormatNode(inDatum, inRowIndex);
++ if (inDatum && inDatum.replace) {
++ // escape quotes to avoid XSS
++ inDatum = inDatum.replace(/"/g, '"')
++ }
+ return '<input class="dojoxGridInput" type="text" value="' + inDatum + '">';
+ },
+ formatNode: function(inNode, inDatum, inRowIndex){
diff -Nru dojo-1.10.2+dfsg/debian/patches/series dojo-1.10.2+dfsg/debian/patches/series
--- dojo-1.10.2+dfsg/debian/patches/series 2014-10-20 18:33:56.000000000 +0200
+++ dojo-1.10.2+dfsg/debian/patches/series 2018-09-03 08:47:12.000000000 +0200
@@ -1 +1,2 @@
0001-Use-nodejs-instead-of-node.patch
+CVE-2018-15494.patch
Reply to: