--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package ckeditor
[ Reason ]
ckeditor is vulnerable to a cross-site scripting (XSS) vulnerability in
the HTML Data Processor because --!> is mishandled.
[ Impact ]
Medium XSS vulnerability
[ Tests ]
Upstream doesn't provide any test for this package
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock ckeditor/4.16.0+dfsg-2
diff --git a/debian/changelog b/debian/changelog
index 72d59540..477ce555 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ckeditor (4.16.0+dfsg-2) unstable; urgency=medium
+
+ * Team upload
+ * Treat "--!>" as a valid comment end tag (Closes: CVE-2021-33829)
+
+ -- Yadd <yadd@debian.org> Fri, 11 Jun 2021 13:28:40 +0200
+
ckeditor (4.16.0+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-33829.patch b/debian/patches/CVE-2021-33829.patch
new file mode 100644
index 00000000..228f1859
--- /dev/null
+++ b/debian/patches/CVE-2021-33829.patch
@@ -0,0 +1,19 @@
+Description: Treat --!> as a valid comment end tag.
+Author: Tomasz Jakut <vepomoc@gmail.com>
+Origin: upstream, https://github.com/ckeditor/ckeditor4/commit/3e426ce3
+Bug: https://github.com/ckeditor/ckeditor4/issues/4659
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-11
+
+--- a/core/htmlparser.js
++++ b/core/htmlparser.js
+@@ -17,7 +17,7 @@
+ */
+ CKEDITOR.htmlParser = function() {
+ this._ = {
+- htmlPartsRegex: /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g
++ htmlPartsRegex: /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)--!?>)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g
+ };
+ };
+
diff --git a/debian/patches/series b/debian/patches/series
index d0d2ffa6..2b74345d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0001-build-corrections-skip-debian-dir.patch
0002-Remove-flash-example.patch
0003-Remove-autogenerated-part-of-file.patch
+CVE-2021-33829.patch
--- End Message ---