jquery / CVE-2019-11358
The patch seems simple enough (see attached).
Unfortunately, the minimisation that happens during build is just a
little bit too efficient for my likes. Sure, 1 byte output is very
efficient.
dh_auto_build
make[1]: Entering directory '/<<BUILDDIR>>/jquery-1.7.2+dfsg'
Building ./dist/jquery.js
Minifying jQuery ./dist/jquery.min.js
jQuery Size - compared to last make
252945 (-) jquery.js
1 (-) jquery.min.js
35 (-) jquery.min.js.gz
jQuery build complete.
make[1]: Leaving directory '/<<BUILDDIR>>/jquery-1.7.2+dfsg'
drwxr-xr-x root/root 0 2019-05-02 06:36 ./
drwxr-xr-x root/root 0 2019-05-02 06:36 ./usr/
drwxr-xr-x root/root 0 2019-05-02 06:36 ./usr/share/
drwxr-xr-x root/root 0 2019-05-02 06:36 ./usr/share/doc/
drwxr-xr-x root/root 0 2019-05-02 06:36 ./usr/share/doc/libjs-jquery/
-rw-r--r-- root/root 1113 2014-08-26 19:18 ./usr/share/doc/libjs-jquery/README.Debian
-rw-r--r-- root/root 2583 2019-05-01 07:38 ./usr/share/doc/libjs-jquery/changelog.Debian.gz
-rw-r--r-- root/root 3808 2014-08-26 19:18 ./usr/share/doc/libjs-jquery/copyright
drwxr-xr-x root/root 0 2019-05-02 06:36 ./usr/share/javascript/
drwxr-xr-x root/root 0 2019-05-02 06:36 ./usr/share/javascript/jquery/
-rw-r--r-- root/root 252945 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.js
lrwxrwxrwx root/root 0 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.lite.js -> jquery.min.js
-rw-r--r-- root/root 1 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.min.js
lrwxrwxrwx root/root 0 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.pack.js -> jquery.min.js
-rw-r--r-- root/root 5 2012-05-23 00:49 ./usr/share/javascript/jquery/version.txt
To me it looks like something might have silently failed. Joy!
Will try to find out what happened.
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru jquery-1.7.2+dfsg/debian/changelog jquery-1.7.2+dfsg/debian/changelog
--- jquery-1.7.2+dfsg/debian/changelog 2014-08-29 19:44:08.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/changelog 2019-05-01 17:38:43.000000000 +1000
@@ -1,3 +1,11 @@
+jquery (1.7.2+dfsg-3.2+deb8u6) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2019-11358, jQuery.extend could be used to pollute the native
+ Object.prototype.
+
+ -- Brian May <bam@debian.org> Wed, 01 May 2019 17:38:43 +1000
+
jquery (1.7.2+dfsg-3.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch
--- jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch 1970-01-01 10:00:00.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch 2019-05-01 17:35:51.000000000 +1000
@@ -0,0 +1,13 @@
+--- a/src/core.js
++++ b/src/core.js
+@@ -334,8 +334,9 @@
+ src = target[ name ];
+ copy = options[ name ];
+
++ // Prevent Object.prototype pollution
+ // Prevent never-ending loop
+- if ( target === copy ) {
++ if ( name === "__proto__" || target === copy ) {
+ continue;
+ }
+
diff -Nru jquery-1.7.2+dfsg/debian/patches/series jquery-1.7.2+dfsg/debian/patches/series
--- jquery-1.7.2+dfsg/debian/patches/series 2014-08-27 05:18:32.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/patches/series 2019-05-01 17:33:37.000000000 +1000
@@ -1 +1,2 @@
build.patch
+CVE-2019-11358.patch
Reply to: