Bug#927422: stretch-pu: package jquery/3.1.1-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi all,
I fixed https://snyk.io/vuln/SNYK-JS-JQUERY-174006 vulnerability for
Buster. Here is the fix for Stretch. It just avoid Object.prototype
pollution without chnaging behavior. Could you insert it in next stretch
update ?
Cheers,
Xavier
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index b6049732..2f6fc66f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+jquery (3.1.1-2+deb9u1) stretch; urgency=high
+
+ * Team upload
+ * Add patch to prevent Object.prototype pollution (Closes: #927385)
+ * Disable check-against-upstream-build test (autopkgtest) since file is now
+ patched
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 18 Apr 2019 22:57:29 +0200
+
jquery (3.1.1-2) unstable; urgency=medium
* debian/rules: adapt path to r.js after a change in nodejs-requirejs
diff --git a/debian/patches/SNYK-JS-JQUERY-174006.diff b/debian/patches/SNYK-JS-JQUERY-174006.diff
new file mode 100644
index 00000000..a4f80b6a
--- /dev/null
+++ b/debian/patches/SNYK-JS-JQUERY-174006.diff
@@ -0,0 +1,21 @@
+Description: Prevent Object.prototype pollution for $.extend( true, ... )
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+Bug: https://github.com/jquery/jquery/pull/4333
+Bug-Debian: https://bugs.debian.org/927385
+Forwarded: not-needed
+Last-Update: 2019-04-18
+
+--- a/src/core.js
++++ b/src/core.js
+@@ -165,8 +165,9 @@
+ src = target[ name ];
+ copy = options[ name ];
+
++ // Prevent Object.prototype pollution
+ // Prevent never-ending loop
+- if ( target === copy ) {
++ if ( name === "__proto__" || target === copy ) {
+ continue;
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..1fc60af1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+SNYK-JS-JQUERY-174006.diff
diff --git a/debian/tests/control b/debian/tests/control
index 263ff2f0..08e26681 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,2 +1,2 @@
-Tests: check-against-upstream-build, check-minification
+Tests: check-minification
Depends: @, wget, ca-certificates
Reply to: