Bug#954988: marked as done (stretch-pu: package node-knockout/3.4.2-2+deb9u1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 28 Mar 2020 12:37:16 +0000
with message-id <935e4b63f8232ba312b8ef131cb89f5c6e07bfb7.camel@adam-barratt.org.uk>
and subject line Re: Bug#954988: stretch-pu: package node-knockout/3.4.2-2+deb9u1
has caused the Debian Bug report #954988,
regarding stretch-pu: package node-knockout/3.4.2-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
954988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954988
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: stretch-pu: package node-knockout/3.4.2-2+deb9u1
• From: Xavier Guimard <yadd@debian.org>
• Date: Thu, 26 Mar 2020 11:45:19 +0100
• Message-id: <[🔎] 158521951900.1697861.10825366052281617282.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

node-knockout is vunerable to CVE-2019-14862 (#943560): bad escaping for
old MSIE browsers (MSIE ≤ 7). This little patche fixes this issue.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index e35157d..078f2f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-knockout (3.4.2-2+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * Fix bad escaping for old MSIE (Closes: #943560, CVE-2019-14862)
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 26 Mar 2020 11:17:36 +0100
+
 node-knockout (3.4.2-2) unstable; urgency=medium
 
   * Mark package as Multi-Arch: foreign
diff --git a/debian/patches/CVE-2019-14862.diff b/debian/patches/CVE-2019-14862.diff
new file mode 100644
index 0000000..212b29e
--- /dev/null
+++ b/debian/patches/CVE-2019-14862.diff
@@ -0,0 +1,45 @@
+Description: fix for CVE-2019-14862
+Author: Michael Best
+Origin: upstream, https://github.com/knockout/knockout/pull/2345/files
+Bug: https://github.com/knockout/knockout/issues/1244
+Bug-Debian: https://bugs.debian.org/943560
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-03-26
+
+--- a/spec/defaultBindings/attrBehaviors.js
++++ b/spec/defaultBindings/attrBehaviors.js
+@@ -26,6 +26,14 @@
+             expect(testNode.childNodes[0].outerHTML).toNotMatch('name="?([^">]+)');
+         }
+         expect(testNode.childNodes[0].getAttribute("name")).toEqual("");
++
++        // Check that special characters are handled appropriately
++        myValue("<A name with special &'\" chars>");
++        expect(testNode.childNodes[0].name).toEqual("<A name with special &'\" chars>");
++        if (testNode.childNodes[0].outerHTML) { // Old Firefox doesn't support outerHTML
++            expect(testNode.childNodes[0].outerHTML).toMatch('name="?(<|&lt;)A name with special &amp;\'&quot; chars(>|&gt;)"?');
++        }
++        expect(testNode.childNodes[0].getAttribute("name")).toEqual("<A name with special &'\" chars>");
+     });
+ 
+     it('Should respond to changes in an observable value', function() {
+@@ -62,4 +70,4 @@
+         expect(testNode.childNodes[0].className).toEqual("");
+         expect(testNode.childNodes[0].getAttribute("class")).toEqual(null);
+     });
+-});
+\ No newline at end of file
++});
+--- a/src/utils.js
++++ b/src/utils.js
+@@ -451,7 +451,8 @@
+             // - http://www.matts411.com/post/setting_the_name_attribute_in_ie_dom/
+             if (ieVersion <= 7) {
+                 try {
+-                    element.mergeAttributes(document.createElement("<input name='" + element.name + "'/>"), false);
++                    var escapedName = element.name.replace(/[&<>'"]/g, function(r){ return "&#" + r.charCodeAt(0) + ";"; });
++                    element.mergeAttributes(document.createElement("<input name='" + escapedName + "'/>"), false);
+                 }
+                 catch(e) {} // For IE9 with doc mode "IE9 Standards" and browser mode "IE9 Compatibility View"
+             }
diff --git a/debian/patches/series b/debian/patches/series
index 0108572..6429144 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 gruntfile.patch
+CVE-2019-14862.diff

--- End Message ---

--- Begin Message ---

• To: Xavier Guimard <yadd@debian.org>, 954988-done@bugs.debian.org
• Subject: Re: Bug#954988: stretch-pu: package node-knockout/3.4.2-2+deb9u1
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 28 Mar 2020 12:37:16 +0000
• Message-id: <935e4b63f8232ba312b8ef131cb89f5c6e07bfb7.camel@adam-barratt.org.uk>
• In-reply-to: <[🔎] 158521951900.1697861.10825366052281617282.reportbug@deb007.xnr.fr>
• References: <[🔎] 158521951900.1697861.10825366052281617282.reportbug@deb007.xnr.fr>

On Thu, 2020-03-26 at 11:45 +0100, Xavier Guimard wrote:
> node-knockout is vunerable to CVE-2019-14862 (#943560): bad escaping
> for
> old MSIE browsers (MSIE ≤ 7). This little patche fixes this issue.
> 

There is no node-knockout package in stretch; closing.

Regards,

Adam

--- End Message ---