[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927422: stretch-pu: package jquery/3.1.1-2+deb9u1

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi all,

I fixed https://snyk.io/vuln/SNYK-JS-JQUERY-174006 vulnerability for
Buster. Here is the fix for Stretch. It just avoid Object.prototype
pollution without chnaging behavior. Could you insert it in next stretch
update ?

Cheers,
Xavier

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index b6049732..2f6fc66f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+jquery (3.1.1-2+deb9u1) stretch; urgency=high
+
+  * Team upload
+  * Add patch to prevent Object.prototype pollution (Closes: #927385)
+  * Disable check-against-upstream-build test (autopkgtest) since file is now
+    patched
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 18 Apr 2019 22:57:29 +0200
+
 jquery (3.1.1-2) unstable; urgency=medium
 
   * debian/rules: adapt path to r.js after a change in nodejs-requirejs
diff --git a/debian/patches/SNYK-JS-JQUERY-174006.diff b/debian/patches/SNYK-JS-JQUERY-174006.diff
new file mode 100644
index 00000000..a4f80b6a
--- /dev/null
+++ b/debian/patches/SNYK-JS-JQUERY-174006.diff
@@ -0,0 +1,21 @@
+Description: Prevent Object.prototype pollution for $.extend( true, ... )
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+Bug: https://github.com/jquery/jquery/pull/4333
+Bug-Debian: https://bugs.debian.org/927385
+Forwarded: not-needed
+Last-Update: 2019-04-18
+
+--- a/src/core.js
++++ b/src/core.js
+@@ -165,8 +165,9 @@
+ 				src = target[ name ];
+ 				copy = options[ name ];
+ 
++				// Prevent Object.prototype pollution
+ 				// Prevent never-ending loop
+-				if ( target === copy ) {
++				if ( name === "__proto__" || target === copy ) {
+ 					continue;
+ 				}
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..1fc60af1
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+SNYK-JS-JQUERY-174006.diff
diff --git a/debian/tests/control b/debian/tests/control
index 263ff2f0..08e26681 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,2 +1,2 @@
-Tests: check-against-upstream-build, check-minification
+Tests: check-minification
 Depends: @, wget, ca-certificates
Reply to: