Re: jquery / CVE-2020-7656

To: "Brian May" <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: jquery / CVE-2020-7656
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 11 Jun 2020 06:15:08 -0000
Message-id: <[🔎] d9eb3cd5-6666-4f4f-b3cc-11a15997bc2b@www.fastmail.com>
In-reply-to: <[🔎] 87imfybof4.fsf@silverfish.pri>
References: <[🔎] 87blltciyw.fsf@silverfish.pri> <[🔎] 87imfybof4.fsf@silverfish.pri>

Hi Brian May,

> The simplest possible solution would be to update that regexp to allows
> white space in the closing tag.

I believe I addressed this in my initial triage of the issue. Quoting
from dla-needed.txt:

  NOTE: 20200606:                                   We could easily change the
  NOTE: 20200606: the rscript regex to also match the problematic whitespace, but
  NOTE: 20200606: this may not be complete as it does not do all the other checks
  NOTE: 20200606: and magic that parseHTML does (eg. hacking document.implementation)
  NOTE: 20200606: I do not know enough about this sanitisation and we don't want
  NOTE: 20200606: to be playing whack-a-mole here. (lamby)

You don't seem to address this concern which leaves open the
possibility that you did not see this or I did not communicate it
effectively enough. If the latter, please let me know how I could make my
language clearer.


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: jquery / CVE-2020-7656
  - From: Brian May <bam@debian.org>

References:
- jquery / CVE-2020-7656
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: jquery / CVE-2020-7656
  - From: Brian May <bam@debian.org>

Prev by Date: Re: unbound not supported
Next by Date: Re: jquery / CVE-2020-7656
Previous by thread: Re: jquery / CVE-2020-7656
Next by thread: Re: jquery / CVE-2020-7656
Index(es):
- Date
- Thread