Bug#927391: unblock: jquery/3.3.1_dfsg-2
Package: release.debian.org
Severity: normal
Tags: security
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package jquery
Hi all,
jquery is vunerable to Object.prototype pollution (#927385). I imported
upstream patch and just upgraded some links in debian files. This patch
does not change normal jQuery behavior but just fix a security hole
considered as "grave" by Security team.
There is a lot of reverse dependencies of course (not listed here to
avoid mail pollution ;-)). Anyway, I think it is low risky to upgrade
jQuery in Buster.
Cheers,
Xavier
unblock jquery/3.3.1_dfsg-2
diff --git a/debian/changelog b/debian/changelog
index aed290ff..259a482a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jquery (3.3.1~dfsg-2) unstable; urgency=medium
+
+ * Team upload
+ * Add patch to prevent Object.prototype pollution (Closes: #927385)
+ * Upgrade links to https
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 18 Apr 2019 22:34:14 +0200
+
jquery (3.3.1~dfsg-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/control b/debian/control
index 9564aeff..126c17ca 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends:
nodejs,
pigz,
Standards-Version: 4.3.0
-Homepage: http://jquery.com/
+Homepage: https://jquery.com/
Vcs-Git: https://salsa.debian.org/js-team/jquery.git
Vcs-Browser: https://salsa.debian.org/js-team/jquery
Rules-Requires-Root: no
diff --git a/debian/copyright b/debian/copyright
index a89d1ef6..593fc38f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,7 +1,7 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: jQuery
-Source: http://jquery.com/
-Comment: For more details on developers please see http://docs.jquery.com/Contributors
+Source: https://jquery.com/
+Comment: For more details on developers please see https://docs.jquery.com/Contributors
Files-Excluded:
dist
external/npo
@@ -38,7 +38,7 @@ License: GPL-2
can be found in </usr/share/common-licenses/GPL-2>.
License: MIT
- Copyright (c) 2011 John Resig, http://jquery.com/
+ Copyright (c) 2011 John Resig, https://jquery.com/
.
Permission is hereby granted, free of charge,
to any person obtaining a copy
diff --git a/debian/patches/SNYK-JS-JQUERY-174006.diff b/debian/patches/SNYK-JS-JQUERY-174006.diff
new file mode 100644
index 00000000..5911b9d4
--- /dev/null
+++ b/debian/patches/SNYK-JS-JQUERY-174006.diff
@@ -0,0 +1,37 @@
+Description: Prevent Object.prototype pollution for $.extend( true, ... )
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+Bug: https://github.com/jquery/jquery/pull/4333
+Bug-Debian: https://bugs.debian.org/927385
+Forwarded: not-needed
+Last-Update: 2019-04-18
+
+--- a/src/core.js
++++ b/src/core.js
+@@ -159,8 +159,9 @@
+ src = target[ name ];
+ copy = options[ name ];
+
++ // Prevent Object.prototype pollution
+ // Prevent never-ending loop
+- if ( target === copy ) {
++ if ( name === "__proto__" || target === copy ) {
+ continue;
+ }
+
+--- a/test/unit/core.js
++++ b/test/unit/core.js
+@@ -1061,6 +1061,13 @@
+ assert.ok( !Array.isArray( result.object ), "result.object wasn't paved with an empty array" );
+ } );
+
++QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
++ assert.expect( 1 );
++
++ jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
++ assert.ok( !( "devMode" in {} ), "Object.prototype not polluted" );
++} );
++
+ QUnit.test( "jQuery.each(Object,Function)", function( assert ) {
+ assert.expect( 23 );
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..1fc60af1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+SNYK-JS-JQUERY-174006.diff
Reply to: