[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

jquery / CVE-2019-11358



The patch seems simple enough (see attached).

Unfortunately, the minimisation that happens during build is just a
little bit too efficient for my likes. Sure, 1 byte output is very
efficient.

dh_auto_build
make[1]: Entering directory '/<<BUILDDIR>>/jquery-1.7.2+dfsg'
Building ./dist/jquery.js
Minifying jQuery ./dist/jquery.min.js
jQuery Size - compared to last make
  252945      (-) jquery.js
       1      (-) jquery.min.js
      35      (-) jquery.min.js.gz
jQuery build complete.
make[1]: Leaving directory '/<<BUILDDIR>>/jquery-1.7.2+dfsg'

drwxr-xr-x root/root         0 2019-05-02 06:36 ./
drwxr-xr-x root/root         0 2019-05-02 06:36 ./usr/
drwxr-xr-x root/root         0 2019-05-02 06:36 ./usr/share/
drwxr-xr-x root/root         0 2019-05-02 06:36 ./usr/share/doc/
drwxr-xr-x root/root         0 2019-05-02 06:36 ./usr/share/doc/libjs-jquery/
-rw-r--r-- root/root      1113 2014-08-26 19:18 ./usr/share/doc/libjs-jquery/README.Debian
-rw-r--r-- root/root      2583 2019-05-01 07:38 ./usr/share/doc/libjs-jquery/changelog.Debian.gz
-rw-r--r-- root/root      3808 2014-08-26 19:18 ./usr/share/doc/libjs-jquery/copyright
drwxr-xr-x root/root         0 2019-05-02 06:36 ./usr/share/javascript/
drwxr-xr-x root/root         0 2019-05-02 06:36 ./usr/share/javascript/jquery/
-rw-r--r-- root/root    252945 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.js
lrwxrwxrwx root/root         0 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.lite.js -> jquery.min.js
-rw-r--r-- root/root         1 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.min.js
lrwxrwxrwx root/root         0 2019-05-02 06:36 ./usr/share/javascript/jquery/jquery.pack.js -> jquery.min.js
-rw-r--r-- root/root         5 2012-05-23 00:49 ./usr/share/javascript/jquery/version.txt

To me it looks like something might have silently failed. Joy!

Will try to find out what happened.
-- 
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
diff -Nru jquery-1.7.2+dfsg/debian/changelog jquery-1.7.2+dfsg/debian/changelog
--- jquery-1.7.2+dfsg/debian/changelog	2014-08-29 19:44:08.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/changelog	2019-05-01 17:38:43.000000000 +1000
@@ -1,3 +1,11 @@
+jquery (1.7.2+dfsg-3.2+deb8u6) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2019-11358, jQuery.extend could be used to pollute the native
+    Object.prototype.
+
+ -- Brian May <bam@debian.org>  Wed, 01 May 2019 17:38:43 +1000
+
 jquery (1.7.2+dfsg-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch
--- jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch	1970-01-01 10:00:00.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch	2019-05-01 17:35:51.000000000 +1000
@@ -0,0 +1,13 @@
+--- a/src/core.js
++++ b/src/core.js
+@@ -334,8 +334,9 @@
+ 				src = target[ name ];
+ 				copy = options[ name ];
+ 
++				// Prevent Object.prototype pollution
+ 				// Prevent never-ending loop
+-				if ( target === copy ) {
++				if ( name === "__proto__" || target === copy ) {
+ 					continue;
+ 				}
+ 
diff -Nru jquery-1.7.2+dfsg/debian/patches/series jquery-1.7.2+dfsg/debian/patches/series
--- jquery-1.7.2+dfsg/debian/patches/series	2014-08-27 05:18:32.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/patches/series	2019-05-01 17:33:37.000000000 +1000
@@ -1 +1,2 @@
 build.patch
+CVE-2019-11358.patch

Reply to: