Re: jquery / CVE-2019-11358

To: debian-lts@lists.debian.org
Subject: Re: jquery / CVE-2019-11358
From: Brian May <bam@debian.org>
Date: Fri, 03 May 2019 17:29:10 +1000
Message-id: <[🔎] 87imus808p.fsf@silverfish.pri>
In-reply-to: <[🔎] 87woj98glq.fsf@silverfish.pri>
References: <[🔎] 874l6d9wkw.fsf@silverfish.pri> <[🔎] 87woj98glq.fsf@silverfish.pri>

Brian May <bam@debian.org> writes:

> $ /usr/bin/uglifyjs --unsafe ./dist/jquery.js -v

Looks like that command reads from STDIN, not the specified file.

Now changed the Makefile to use:

$ /usr/bin/uglifyjs --unsafe < ./dist/jquery.js

which appears to work.

Updated patch attached.
-- 
Brian May <bam@debian.org>

diff -Nru jquery-1.7.2+dfsg/debian/changelog jquery-1.7.2+dfsg/debian/changelog
--- jquery-1.7.2+dfsg/debian/changelog	2014-08-29 19:44:08.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/changelog	2019-05-01 17:38:43.000000000 +1000
@@ -1,3 +1,11 @@
+jquery (1.7.2+dfsg-3.2+deb8u6) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2019-11358, jQuery.extend could be used to pollute the native
+    Object.prototype.
+
+ -- Brian May <bam@debian.org>  Wed, 01 May 2019 17:38:43 +1000
+
 jquery (1.7.2+dfsg-3.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch
--- jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch	1970-01-01 10:00:00.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/patches/CVE-2019-11358.patch	2019-05-01 17:38:43.000000000 +1000
@@ -0,0 +1,13 @@
+--- a/src/core.js
++++ b/src/core.js
+@@ -334,8 +334,9 @@
+ 				src = target[ name ];
+ 				copy = options[ name ];
+ 
++				// Prevent Object.prototype pollution
+ 				// Prevent never-ending loop
+-				if ( target === copy ) {
++				if ( name === "__proto__" || target === copy ) {
+ 					continue;
+ 				}
+ 
diff -Nru jquery-1.7.2+dfsg/debian/patches/fix_uglify_invocation.patch jquery-1.7.2+dfsg/debian/patches/fix_uglify_invocation.patch
--- jquery-1.7.2+dfsg/debian/patches/fix_uglify_invocation.patch	1970-01-01 10:00:00.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/patches/fix_uglify_invocation.patch	2019-05-01 17:38:43.000000000 +1000
@@ -0,0 +1,11 @@
+--- a/Makefile
++++ b/Makefile
+@@ -96,7 +96,7 @@
+ ${JQ_MIN}: ${JQ}
+ 	@@if test ! -z ${JS_ENGINE}; then \
+ 		echo "Minifying jQuery" ${JQ_MIN}; \
+-		${COMPILER} ${JQ} > ${JQ_MIN}.tmp; \
++		${COMPILER} < ${JQ} > ${JQ_MIN}.tmp; \
+ 		${POST_COMPILER} ${JQ_MIN}.tmp; \
+ 		rm -f ${JQ_MIN}.tmp; \
+ 	else \
diff -Nru jquery-1.7.2+dfsg/debian/patches/series jquery-1.7.2+dfsg/debian/patches/series
--- jquery-1.7.2+dfsg/debian/patches/series	2014-08-27 05:18:32.000000000 +1000
+++ jquery-1.7.2+dfsg/debian/patches/series	2019-05-01 17:38:43.000000000 +1000
@@ -1 +1,3 @@
 build.patch
+fix_uglify_invocation.patch
+CVE-2019-11358.patch

Reply to:

References:
- jquery / CVE-2019-11358
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: jquery / CVE-2019-11358
  - From: Brian May <bam@debian.org>

Prev by Date: Re: jinja2 update for CVE-2019-10906/CVE-2016-10745
Next by Date: LTS/ELTS Report for April 2019
Previous by thread: Re: jquery / CVE-2019-11358
Next by thread: Re: jinja2 update for CVE-2019-10906/CVE-2016-10745
Index(es):
- Date
- Thread