upload dojo

To: Debian LTS <debian-lts@lists.debian.org>
Subject: upload dojo
From: Abhijith PA <abhijith@disroot.org>
Date: Mon, 3 Sep 2018 12:46:25 +0530
Message-id: <[🔎] 7db0be9e-adcc-15da-4945-6e4a586e8642@disroot.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello.

I've prepared security update for dojo. Please review and
upload. Debdiff is attached. Its a trivial patch to escape quotes.


Thanks
Abhijith PA
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluM38kACgkQhj1N8u2c
KO+pjQ/8D3qvrnlOKZUrZPZK7/4LNzTcegAhAe2ojW5gLagw2TbtTWxxcgYh3mTw
dR5WYQXLO9A83yrFHfTn2aLwufxFS5qXyQ8gDOw3bcjQFMqVFM3m3MUy6bFs82EW
UUS9i18a+HaTFB3bpMJZOiwtfSlIROueYSdl4k8LyMGSUqGwYB2xeYyNNjUuJ6yp
CmRPt4QXAdZmfeFolrJzshiBzuLsQVkeYoyBbzzRN0O8ra9iXKfg/hrVm7ChKsa9
bQkzgKVqSlb5kQviF1zlEkoOHVF8FBvxgPacO7gKdMFDlhrXGsvb5svp5vRtpYom
oQQ9ruWdBOKz9UtzrTnVYyhWEziYPYUv0iKhzG+fR+kVN8YEXGvvx09FUQ6tzEXu
jBHixdiGdJUPCAEwyj7RGG7+WXlXeONL0lgnKrUd0i2SFDjWLKyZGCIVnyN3XKzt
eUruY3j3kuO1TDhugmigzeM/0mxQWVWTq8YbmB1xf8/MifakRNRxhvYxrm7N5pdD
zeybMV/PVlxEl8TkWC5KmkGWAH/issM8LCOJFIgBAgCTGpWUOIlAJPUArp0evGYA
a/Rb9D4YzuRDPhles+qxTGCqKsGCgFVV2Q5oHrwxbAVxEC2Um9FFbLgH0LSPMgQA
vKrCMIIHL0m//Q65fLNI2RYeK7noJYM2Lm9VoPIsU1QmbkWhusQ=
=vMWk
-----END PGP SIGNATURE-----

diff -Nru dojo-1.10.2+dfsg/debian/changelog dojo-1.10.2+dfsg/debian/changelog
--- dojo-1.10.2+dfsg/debian/changelog	2014-10-20 18:38:48.000000000 +0200
+++ dojo-1.10.2+dfsg/debian/changelog	2018-09-03 08:47:12.000000000 +0200
@@ -1,3 +1,11 @@
+dojo (1.10.2+dfsg-1+deb8u1) jessie-security; urgency=medium
+
+  * Non-maintainer upload by the Debian LTS Team
+  * Fix CVE-2018-15494: unescaped string injection in dojox/Grid/DataGrid
+    (Closes: #906540)
+
+ -- Abhijith PA <abhijith@disroot.org>  Mon, 03 Sep 2018 12:17:12 +0530
+
 dojo (1.10.2+dfsg-1) unstable; urgency=medium
 
   [ Colin Snover ]
diff -Nru dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch
--- dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch	1970-01-01 01:00:00.000000000 +0100
+++ dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch	2018-09-03 08:47:12.000000000 +0200
@@ -0,0 +1,22 @@
+Description: CVE-2018-15494
+ Escape the quotes to avoid injection in dojox/Grid/DataGrid.
+
+---
+Author: Abhijith PA <abhijith@disroot.org>
+Origin: https://github.com/dojo/dojox/pull/283/files/e92ee87750af8fbc7e474bb8e8661821aa9f88fa
+Bug-Debian: https://bugs.debian.org/906540
+Last-Update: 2018-09-03
+
+--- dojo-1.10.2+dfsg.orig/dojox/grid/cells/_base.js
++++ dojo-1.10.2+dfsg/dojox/grid/cells/_base.js
+@@ -329,6 +329,10 @@ define([
+ 		keyFilter: null,
+ 		formatEditing: function(inDatum, inRowIndex){
+ 			this.needFormatNode(inDatum, inRowIndex);
++			if (inDatum && inDatum.replace) {
++				// escape quotes to avoid XSS
++				inDatum = inDatum.replace(/"/g, '&quot;')
++			}
+ 			return '<input class="dojoxGridInput" type="text" value="' + inDatum + '">';
+ 		},
+ 		formatNode: function(inNode, inDatum, inRowIndex){
diff -Nru dojo-1.10.2+dfsg/debian/patches/series dojo-1.10.2+dfsg/debian/patches/series
--- dojo-1.10.2+dfsg/debian/patches/series	2014-10-20 18:33:56.000000000 +0200
+++ dojo-1.10.2+dfsg/debian/patches/series	2018-09-03 08:47:12.000000000 +0200
@@ -1 +1,2 @@
 0001-Use-nodejs-instead-of-node.patch
+CVE-2018-15494.patch

Reply to:

Follow-Ups:
- Re: upload dojo
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Security update of polarssl/mbedtls?
Next by Date: Re: upload dojo
Previous by thread: Re: Security update of polarssl/mbedtls?
Next by thread: Re: upload dojo
Index(es):
- Date
- Thread