Bug#952785: marked as done (buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #952785,
regarding buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
952785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952785
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1
• From: Xavier Guimard <yadd@debian.org>
• Date: Sat, 29 Feb 2020 09:10:51 +0100
• Message-id: <158296385177.614479.13738069338817750577.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

dojo is vulnerable to Cross-site Scripting. This is due to
dojox.xmpp.util.xmlEncode only encoding the first occurrence of each
character, not all of them.

This upstream patch fixes this issue

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 14447b52..0e5dc462 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Cleanup improper regex usage (Closes: #952771, 2019, 10785)
+
+ -- Xavier Guimard <yadd@debian.org>  Sat, 29 Feb 2020 09:07:02 +0100
+
 dojo (1.15.0+dfsg1-1) unstable; urgency=medium
 
   * New upstream version :
diff --git a/debian/patches/CVE-2019-10785.patch b/debian/patches/CVE-2019-10785.patch
new file mode 100644
index 00000000..67ab40f2
--- /dev/null
+++ b/debian/patches/CVE-2019-10785.patch
@@ -0,0 +1,45 @@
+Description: Cleanup improper regex usage
+Author: Paul <paul@sitepen.com>
+Origin: upstream, https://github.com/dojo/dojox/pull/317
+Bug: https://github.com/dojo/dojox/pull/315
+Bug-Debian: https://bugs.debian.org/952771
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-02-29
+
+--- a/dojox/dtl/dom.js
++++ b/dojox/dtl/dom.js
+@@ -94,7 +94,7 @@ define([
+ 										var replacement = "";
+ 										for(var p = 2, pl = pair.length; p < pl; p++){
+ 											if(p == 2){
+-												replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace('"', '\\"') + ' %}">';
++												replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace(/"/g, '\\"') + ' %}">';
+ 											}else if(tag == pair[p]) {
+ 												continue;
+ 											}else{
+--- a/dojox/widget/RollingList.js
++++ b/dojox/widget/RollingList.js
+@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList",
+ 			widgetItem.store = this.store;
+ 			widgetItem.item = item;
+ 			if(!widgetItem.label){
+-				widgetItem.attr("label", this.store.getLabel(item).replace(/</,"&lt;"));
++				widgetItem.attr("label", this.store.getLabel(item).replace(/</g,"&lt;"));
+ 			}
+ 			if(widgetItem.focusNode){
+ 				var self = this;
+--- a/dojox/xmpp/util.js
++++ b/dojox/xmpp/util.js
+@@ -3,10 +3,7 @@ dojo.require("dojox.string.Builder");
+ dojo.require("dojox.encoding.base64");
+ 
+ dojox.xmpp.util.xmlEncode = function(str) {
+-	if(str) {
+-		str = str.replace("&", "&amp;").replace(">", "&gt;").replace("<", "&lt;").replace("'", "&apos;").replace('"', "&quot;");
+-	}
+-	return str;
++	return dojo.string.escape(str);
+ };
+ 
+ dojox.xmpp.util.encodeJid = function(jid) {
diff --git a/debian/patches/series b/debian/patches/series
index f39e7f29..6051ed59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-Compatibility-patch-for-newer-rhino.patch
 0002-Do-notrun-test-suite-in-build.patch
 0003-Disable-flash-storage.patch
+#CVE-2019-10785.patch

--- End Message ---

--- Begin Message ---

• To: 932251-done@bugs.debian.org, 933839-done@bugs.debian.org, 939120-done@bugs.debian.org, 942520-done@bugs.debian.org, 943889-done@bugs.debian.org, 947102-done@bugs.debian.org, 947142-done@bugs.debian.org, 947172-done@bugs.debian.org, 947442-done@bugs.debian.org, 948333-done@bugs.debian.org, 948381-done@bugs.debian.org, 948786-done@bugs.debian.org, 948855-done@bugs.debian.org, 949113-done@bugs.debian.org, 949702-done@bugs.debian.org, 949890-done@bugs.debian.org, 949891-done@bugs.debian.org, 949897-done@bugs.debian.org, 949921-done@bugs.debian.org, 950104-done@bugs.debian.org, 950105-done@bugs.debian.org, 950478-done@bugs.debian.org, 950546-done@bugs.debian.org, 950547-done@bugs.debian.org, 950655-done@bugs.debian.org, 950765-done@bugs.debian.org, 950773-done@bugs.debian.org, 950795-done@bugs.debian.org, 950854-done@bugs.debian.org, 950918-done@bugs.debian.org, 951146-done@bugs.debian.org, 951399-done@bugs.debian.org, 951563-done@bugs.debian.org, 951761-done@bugs.debian.org, 951769-done@bugs.debian.org, 951871-done@bugs.debian.org, 952414-done@bugs.debian.org, 952441-done@bugs.debian.org, 952586-done@bugs.debian.org, 952785-done@bugs.debian.org, 953005-done@bugs.debian.org, 953124-done@bugs.debian.org, 953246-done@bugs.debian.org, 953647-done@bugs.debian.org, 953737-done@bugs.debian.org, 953797-done@bugs.debian.org, 954001-done@bugs.debian.org, 954073-done@bugs.debian.org, 954269-done@bugs.debian.org, 954398-done@bugs.debian.org, 954404-done@bugs.debian.org, 954714-done@bugs.debian.org, 954757-done@bugs.debian.org, 954835-done@bugs.debian.org, 954838-done@bugs.debian.org, 954862-done@bugs.debian.org, 954985-done@bugs.debian.org, 955395-done@bugs.debian.org, 955410-done@bugs.debian.org, 955508-done@bugs.debian.org, 955509-done@bugs.debian.org, 955510-done@bugs.debian.org, 955547-done@bugs.debian.org, 955860-done@bugs.debian.org, 956155-done@bugs.debian.org, 956216-done@bugs.debian.org, 956315-done@bugs.debian.org, 956533-done@bugs.debian.org, 956535-done@bugs.debian.org, 956536-done@bugs.debian.org, 956801-done@bugs.debian.org, 956861-done@bugs.debian.org, 956890-done@bugs.debian.org, 956913-done@bugs.debian.org, 956932-done@bugs.debian.org, 958053-done@bugs.debian.org, 958141-done@bugs.debian.org, 958173-done@bugs.debian.org, 958395-done@bugs.debian.org, 958399-done@bugs.debian.org, 958489-done@bugs.debian.org, 958490-done@bugs.debian.org, 958568-done@bugs.debian.org, 958714-done@bugs.debian.org, 958716-done@bugs.debian.org, 958814-done@bugs.debian.org, 958887-done@bugs.debian.org, 958916-done@bugs.debian.org, 958931-done@bugs.debian.org, 958969-done@bugs.debian.org, 958994-done@bugs.debian.org, 959081-done@bugs.debian.org, 959101-done@bugs.debian.org, 959224-done@bugs.debian.org, 959431-done@bugs.debian.org, 959489-done@bugs.debian.org, 948191-done@bugs.debian.org
• Subject: Closing requests included in 10.4 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 09 May 2020 11:53:52 +0100
• Message-id: <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.4

Hi,

Each of the uploads referred to by these bugs was included in today's
stable point release.

Regards,

Adam

--- End Message ---