Bug#954988: stretch-pu: package node-knockout/3.4.2-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
node-knockout is vunerable to CVE-2019-14862 (#943560): bad escaping for
old MSIE browsers (MSIE ≤ 7). This little patche fixes this issue.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index e35157d..078f2f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-knockout (3.4.2-2+deb9u1) stretch; urgency=medium
+
+ * Team upload
+ * Fix bad escaping for old MSIE (Closes: #943560, CVE-2019-14862)
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 26 Mar 2020 11:17:36 +0100
+
node-knockout (3.4.2-2) unstable; urgency=medium
* Mark package as Multi-Arch: foreign
diff --git a/debian/patches/CVE-2019-14862.diff b/debian/patches/CVE-2019-14862.diff
new file mode 100644
index 0000000..212b29e
--- /dev/null
+++ b/debian/patches/CVE-2019-14862.diff
@@ -0,0 +1,45 @@
+Description: fix for CVE-2019-14862
+Author: Michael Best
+Origin: upstream, https://github.com/knockout/knockout/pull/2345/files
+Bug: https://github.com/knockout/knockout/issues/1244
+Bug-Debian: https://bugs.debian.org/943560
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-03-26
+
+--- a/spec/defaultBindings/attrBehaviors.js
++++ b/spec/defaultBindings/attrBehaviors.js
+@@ -26,6 +26,14 @@
+ expect(testNode.childNodes[0].outerHTML).toNotMatch('name="?([^">]+)');
+ }
+ expect(testNode.childNodes[0].getAttribute("name")).toEqual("");
++
++ // Check that special characters are handled appropriately
++ myValue("<A name with special &'\" chars>");
++ expect(testNode.childNodes[0].name).toEqual("<A name with special &'\" chars>");
++ if (testNode.childNodes[0].outerHTML) { // Old Firefox doesn't support outerHTML
++ expect(testNode.childNodes[0].outerHTML).toMatch('name="?(<|<)A name with special &\'" chars(>|>)"?');
++ }
++ expect(testNode.childNodes[0].getAttribute("name")).toEqual("<A name with special &'\" chars>");
+ });
+
+ it('Should respond to changes in an observable value', function() {
+@@ -62,4 +70,4 @@
+ expect(testNode.childNodes[0].className).toEqual("");
+ expect(testNode.childNodes[0].getAttribute("class")).toEqual(null);
+ });
+-});
+\ No newline at end of file
++});
+--- a/src/utils.js
++++ b/src/utils.js
+@@ -451,7 +451,8 @@
+ // - http://www.matts411.com/post/setting_the_name_attribute_in_ie_dom/
+ if (ieVersion <= 7) {
+ try {
+- element.mergeAttributes(document.createElement("<input name='" + element.name + "'/>"), false);
++ var escapedName = element.name.replace(/[&<>'"]/g, function(r){ return "&#" + r.charCodeAt(0) + ";"; });
++ element.mergeAttributes(document.createElement("<input name='" + escapedName + "'/>"), false);
+ }
+ catch(e) {} // For IE9 with doc mode "IE9 Standards" and browser mode "IE9 Compatibility View"
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 0108572..6429144 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
gruntfile.patch
+CVE-2019-14862.diff
Reply to: