[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927807: marked as done (unblock: node-jquery/2.2.4+dfsg-4)

Your message dated Tue, 23 Apr 2019 17:42:00 +0000
with message-id <d327a05e-835a-542a-b8c1-d060da8cf6a4@thykier.net>
and subject line Re: Bug#927807: unblock: node-jquery/2.2.4+dfsg-4
has caused the Debian Bug report #927807,
regarding unblock: node-jquery/2.2.4+dfsg-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927807
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-jquery

Hi all,

node-jquery is vulnerable to prototype pollution (same than #927385 for
jQuery, already unblocked). I added the same patch and changed also:
  * Add upstream/metadata
  * Add homepage
  * Upgrade links to https
  * Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358)
  * Add patch to make the build reproducible. Thanks to Chris Lamb
    (Closes: #886001)

Reverse dependencies:
 - node-jquery-ujs            (no reverse deps)
 - node-jquery-textcomplete   (no reverse deps)
 - rainloop (build dependency, no reverse deps)

Changes on installed files are just:

  diff -aburN /usr/lib/nodejs/jquery/dist.old/jquery.js /usr/lib/nodejs/jquery/dist/jquery.js
  --- /usr/lib/nodejs/jquery/dist.old/jquery.js   2018-06-20 16:22:11.000000000 +0200
  +++ /usr/lib/nodejs/jquery/dist/jquery.js       2019-04-23 18:12:00.000000000 +0200
  @@ -8,8 +8,6 @@
    * Copyright jQuery Foundation and other contributors
    * Released under the MIT license
    * http://jquery.org/license
  - *
  - * Date: 2018-06-20T15:30Z
    */
  
   (function( global, factory ) {
  @@ -210,7 +208,7 @@
                                  copy = options[ name ];
  
                                  // Prevent never-ending loop
  -                               if ( target === copy ) {
  +                               if ( name === "__proto__" || target === copy ) {
                                          continue;
                                  }

and of course minified/map files. So I think it is low risky to upgrade
node-jquery in Buster.

Cheers,
Xavier

unblock node-jquery/2.2.4+dfsg-4

diff --git a/debian/changelog b/debian/changelog
index aedbd29..e4608fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+node-jquery (2.2.4+dfsg-4) unstable; urgency=medium
+
+  * Team upload
+  * Add upstream/metadata
+  * Add homepage
+  * Upgrade links to https
+  * Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358)
+  * Add patch to make the build reproducible. Thanks to Chris Lamb
+    (Closes: #886001)
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 23 Apr 2019 18:12:00 +0200
+
 node-jquery (2.2.4+dfsg-3) unstable; urgency=medium
 
   * Bump Standards-Version to 4.1.4 (no changes needed)
diff --git a/debian/control b/debian/control
index f7fa83b..0954117 100644
--- a/debian/control
+++ b/debian/control
@@ -17,6 +17,7 @@ Build-Depends: debhelper (>= 11~),
 Standards-Version: 4.1.4
 Vcs-Git: https://salsa.debian.org/js-team/node-jquery.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-jquery
+Homepage: https://jquery.com/
 
 Package: node-jquery
 Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 6d8eb44..8ea8dce 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,14 +1,14 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: jquery
 Upstream-Contact: https://github.com/jquery/jquery/issues
-Source: http://github.com/jquery/jquery
+Source: https://github.com/jquery/jquery
 Files-Excluded: dist external
 
 Files: *
 Copyright: © 2011, John Resig
  © 2011, The Dojo Foundation
 License: GPL-2+ or MIT
-Comment: includes Sizzle.js <http://sizzlejs.com/>, which is
+Comment: includes Sizzle.js <https://sizzlejs.com/>, which is
  © 2011, The Dojo Foundation, and is released under three licenses:
  GPL-2+, MIT or BSD. I'm including only the first two, since it
  complies with the rest of node-jquery code.
@@ -29,7 +29,7 @@ License: GPL-2+
  GNU General Public License for more details.
  .
  You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>
+ along with this program. If not, see <https://www.gnu.org/licenses/>
  .
  On Debian systems, the complete text of the GNU General
  Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --git a/debian/patches/CVE-2019-11358.diff b/debian/patches/CVE-2019-11358.diff
new file mode 100644
index 0000000..9188a95
--- /dev/null
+++ b/debian/patches/CVE-2019-11358.diff
@@ -0,0 +1,20 @@
+Description: Fix prototype Pollution vulnerability
+Author: Michał Gołębiowski-Owczarek <https://github.com/mgol>
+Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+Bug: https://github.com/jquery/jquery/pull/4333
+Bug-Debian: https://bugs.debian.org/927385
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-04-23
+
+--- a/src/core.js
++++ b/src/core.js
+@@ -157,7 +157,7 @@
+ 				copy = options[ name ];
+ 
+ 				// Prevent never-ending loop
+-				if ( target === copy ) {
++				if ( name === "__proto__" || target === copy ) {
+ 					continue;
+ 				}
+ 
diff --git a/debian/patches/reproducible-build.patch b/debian/patches/reproducible-build.patch
new file mode 100644
index 0000000..1994886
--- /dev/null
+++ b/debian/patches/reproducible-build.patch
@@ -0,0 +1,15 @@
+Description: Make the build reproducible
+Author: Chris Lamb <lamby@debian.org>
+Last-Update: 2018-01-01
+
+--- a/src/intro.js
++++ b/src/intro.js
+@@ -8,8 +8,6 @@
+  * Copyright jQuery Foundation and other contributors
+  * Released under the MIT license
+  * http://jquery.org/license
+- *
+- * Date: @DATE
+  */
+ 
+ (function( global, factory ) {
diff --git a/debian/patches/series b/debian/patches/series
index 4b2d73e..bdd8c35 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,4 @@
 skip-modules.patch
 skip-gzip-js.patch
+CVE-2019-11358.diff
+reproducible-build.patch
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..a65a92c
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/jquery/jquery/issues
+Contact: https://github.com/jquery/jquery/issues
+Name: jquery
+Repository: https://github.com/jquery/jquery.git
+Repository-Browse: https://github.com/jquery/jquery

--- End Message ---
--- Begin Message --- 
Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-jquery
> 
> Hi all,
> 
> node-jquery is vulnerable to prototype pollution (same than #927385 for
> jQuery, already unblocked). I added the same patch and changed also:
>   * Add upstream/metadata
>   * Add homepage
>   * Upgrade links to https
>   * Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358)
>   * Add patch to make the build reproducible. Thanks to Chris Lamb
>     (Closes: #886001)
> 
> [...]
> 
> Cheers,
> Xavier
> 
> unblock node-jquery/2.2.4+dfsg-4
> 

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: