Bug#989730: unblock: ckeditor/4.16.0+dfsg-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989730: unblock: ckeditor/4.16.0+dfsg-2
From: Yadd <yadd@debian.org>
Date: Fri, 11 Jun 2021 13:36:13 +0200
Message-id: <[🔎] 162341137302.4138586.12167571251826871122.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 989730@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ckeditor

[ Reason ]
ckeditor is vulnerable to a cross-site scripting (XSS) vulnerability in
the HTML Data Processor because --!> is mishandled.

[ Impact ]
Medium XSS vulnerability

[ Tests ]
Upstream doesn't provide any test for this package

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock ckeditor/4.16.0+dfsg-2

diff --git a/debian/changelog b/debian/changelog
index 72d59540..477ce555 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ckeditor (4.16.0+dfsg-2) unstable; urgency=medium
+
+  * Team upload
+  * Treat "--!>" as a valid comment end tag (Closes: CVE-2021-33829)
+
+ -- Yadd <yadd@debian.org>  Fri, 11 Jun 2021 13:28:40 +0200
+
 ckeditor (4.16.0+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-33829.patch b/debian/patches/CVE-2021-33829.patch
new file mode 100644
index 00000000..228f1859
--- /dev/null
+++ b/debian/patches/CVE-2021-33829.patch
@@ -0,0 +1,19 @@
+Description: Treat --!> as a valid comment end tag.
+Author: Tomasz Jakut <vepomoc@gmail.com>
+Origin: upstream, https://github.com/ckeditor/ckeditor4/commit/3e426ce3
+Bug: https://github.com/ckeditor/ckeditor4/issues/4659
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-11
+
+--- a/core/htmlparser.js
++++ b/core/htmlparser.js
+@@ -17,7 +17,7 @@
+  */
+ CKEDITOR.htmlParser = function() {
+ 	this._ = {
+-		htmlPartsRegex: /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g
++		htmlPartsRegex: /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)--!?>)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g
+ 	};
+ };
+ 
diff --git a/debian/patches/series b/debian/patches/series
index d0d2ffa6..2b74345d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-build-corrections-skip-debian-dir.patch
 0002-Remove-flash-example.patch
 0003-Remove-autogenerated-part-of-file.patch
+CVE-2021-33829.patch

Reply to:

Follow-Ups:
- Bug#989730: marked as done (unblock: ckeditor/4.16.0+dfsg-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#989587: marked as done (unblock: uacme/1.7.1-1)
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Re: Bug#987529: buster-pu: package exactimage/1.0.2-1+deb10u1
Next by thread: Bug#989730: marked as done (unblock: ckeditor/4.16.0+dfsg-2)
Index(es):
- Date
- Thread