angular.js / CVE-2019-14863
Here is my very simple patch to fix this issue.
diff -Nru angular.js-1.2.26/debian/changelog angular.js-1.2.26/debian/changelog
--- angular.js-1.2.26/debian/changelog 2014-10-08 05:41:25.000000000 +1100
+++ angular.js-1.2.26/debian/changelog 2019-11-11 17:39:43.000000000 +1100
@@ -1,3 +1,10 @@
+angular.js (1.2.26-1+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2019-14863: properly sanitize xlink:href attribute interoplation.
+
+ -- Brian May <bam@debian.org> Mon, 11 Nov 2019 17:39:43 +1100
+
angular.js (1.2.26-1) unstable; urgency=low
* New upstream release.
diff -Nru angular.js-1.2.26/debian/patches/CVE-2019-14863.patch angular.js-1.2.26/debian/patches/CVE-2019-14863.patch
--- angular.js-1.2.26/debian/patches/CVE-2019-14863.patch 1970-01-01 10:00:00.000000000 +1000
+++ angular.js-1.2.26/debian/patches/CVE-2019-14863.patch 2019-11-11 17:39:43.000000000 +1100
@@ -0,0 +1,11 @@
+--- a/src/ng/compile.js
++++ b/src/ng/compile.js
+@@ -748,7 +748,7 @@
+ nodeName = nodeName_(this.$$element);
+
+ // sanitize a[href] and img[src] values
+- if ((nodeName === 'A' && key === 'href') ||
++ if ((nodeName === 'A' && (key === 'href' || key === 'xlinkHref')) ||
+ (nodeName === 'IMG' && key === 'src')) {
+ this[key] = value = $$sanitizeUri(value, key === 'src');
+ }
diff -Nru angular.js-1.2.26/debian/patches/series angular.js-1.2.26/debian/patches/series
--- angular.js-1.2.26/debian/patches/series 1970-01-01 10:00:00.000000000 +1000
+++ angular.js-1.2.26/debian/patches/series 2019-11-11 17:39:43.000000000 +1100
@@ -0,0 +1 @@
+CVE-2019-14863.patch
I noticed I didn't spell interpolation correctly, probably error from
the CVE; I have fixed that.
--
Brian May <bam@debian.org>
Reply to: