Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
Control: tags -1 - moreinfo
On 03/12/2021 17:30, Adam D. Barratt wrote:
Control: tags -1 + moreinfo
On Tue, 2021-11-09 at 08:25 +0100, Salvatore Bonaccorso wrote:
Hi,
On Mon, Nov 08, 2021 at 12:27:03PM +0100, Yadd wrote:
[...]
Jquery-UI is the official jQuery user interface library. Prior to
version
1.13.0, accepting the value of the `of` option of the `.position()`
util
from untrusted sources may execute untrusted code. The issue is
fixed in
jQuery UI 1.13.0. Any string value passed to the `of` option is now
treated
as a CSS selector. A workaround is to not accept the value of the
`of`
option from untrusted sources. (CVE-2021-41184)
AFAICS there are two more CVEs for jqueryui which wree fixed in
1.13.0
and so covered in unstable already. Can those be backported as well
or
are they too intrusive?
Quick ping on this.
Regards,
Adam
Hi,
sorry, here is the new debdiff
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e137315..3a6a587 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Make sure altField is treated as a CSS selector (Closes: CVE-2021-41182)
+ * Make sure text option are text, shorten HTML strings
+ (Closes: CVE-2021-41183)
+ * Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184)
+
+ -- Yadd <yadd@debian.org> Mon, 06 Dec 2021 08:29:59 +0100
+
jqueryui (1.12.1+dfsg-8) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-41182.patch b/debian/patches/CVE-2021-41182.patch
new file mode 100644
index 0000000..975c627
--- /dev/null
+++ b/debian/patches/CVE-2021-41182.patch
@@ -0,0 +1,19 @@
+Description: Datepicker: Make sure altField is treated as a CSS selector
+Author: Michał Gołębiowski-Owczarek
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/32850869
+Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-12-06
+
+--- a/ui/widgets/datepicker.js
++++ b/ui/widgets/datepicker.js
+@@ -1090,7 +1090,7 @@
+ altFormat = this._get( inst, "altFormat" ) || this._get( inst, "dateFormat" );
+ date = this._getDate( inst );
+ dateStr = this.formatDate( altFormat, date, this._getFormatConfig( inst ) );
+- $( altField ).val( dateStr );
++ $( document ).find( altField ).val( dateStr );
+ }
+ },
+
diff --git a/debian/patches/CVE-2021-41183.patch b/debian/patches/CVE-2021-41183.patch
new file mode 100644
index 0000000..b610ead
--- /dev/null
+++ b/debian/patches/CVE-2021-41183.patch
@@ -0,0 +1,179 @@
+Description: Make sure text option are text, shorten HTML strings
+Author: Michał Gołębiowski-Owczarek
+Origin: upstream, https://github.com/jquery/jquery-ui/pull/1953
+Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-12-06
+
+--- a/ui/widgets/datepicker.js
++++ b/ui/widgets/datepicker.js
+@@ -240,7 +240,9 @@
+ inst.append.remove();
+ }
+ if ( appendText ) {
+- inst.append = $( "<span class='" + this._appendClass + "'>" + appendText + "</span>" );
++ inst.append = $( "<span>" )
++ .addClass( this._appendClass )
++ .text( appendText );
+ input[ isRTL ? "before" : "after" ]( inst.append );
+ }
+
+@@ -257,12 +259,32 @@
+ if ( showOn === "button" || showOn === "both" ) { // pop-up date picker when button clicked
+ buttonText = this._get( inst, "buttonText" );
+ buttonImage = this._get( inst, "buttonImage" );
+- inst.trigger = $( this._get( inst, "buttonImageOnly" ) ?
+- $( "<img/>" ).addClass( this._triggerClass ).
+- attr( { src: buttonImage, alt: buttonText, title: buttonText } ) :
+- $( "<button type='button'></button>" ).addClass( this._triggerClass ).
+- html( !buttonImage ? buttonText : $( "<img/>" ).attr(
+- { src:buttonImage, alt:buttonText, title:buttonText } ) ) );
++
++ if ( this._get( inst, "buttonImageOnly" ) ) {
++ inst.trigger = $( "<img>" )
++ .addClass( this._triggerClass )
++ .attr( {
++ src: buttonImage,
++ alt: buttonText,
++ title: buttonText
++ } );
++ } else {
++ inst.trigger = $( "<button type='button'>" )
++ .addClass( this._triggerClass );
++ if ( buttonImage ) {
++ inst.trigger.html(
++ $( "<img>" )
++ .attr( {
++ src: buttonImage,
++ alt: buttonText,
++ title: buttonText
++ } )
++ );
++ } else {
++ inst.trigger.text( buttonText );
++ }
++ }
++
+ input[ isRTL ? "before" : "after" ]( inst.trigger );
+ inst.trigger.on( "click", function() {
+ if ( $.datepicker._datepickerShowing && $.datepicker._lastInput === input[ 0 ] ) {
+@@ -1704,32 +1726,104 @@
+ this._daylightSavingAdjust( new Date( drawYear, drawMonth - stepMonths, 1 ) ),
+ this._getFormatConfig( inst ) ) );
+
+- prev = ( this._canAdjustMonth( inst, -1, drawYear, drawMonth ) ?
+- "<a class='ui-datepicker-prev ui-corner-all' data-handler='prev' data-event='click'" +
+- " title='" + prevText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "e" : "w" ) + "'>" + prevText + "</span></a>" :
+- ( hideIfNoPrevNext ? "" : "<a class='ui-datepicker-prev ui-corner-all ui-state-disabled' title='" + prevText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "e" : "w" ) + "'>" + prevText + "</span></a>" ) );
++ if ( this._canAdjustMonth( inst, -1, drawYear, drawMonth ) ) {
++ prev = $( "<a>" )
++ .attr( {
++ "class": "ui-datepicker-prev ui-corner-all",
++ "data-handler": "prev",
++ "data-event": "click",
++ title: prevText
++ } )
++ .append(
++ $( "<span>" )
++ .addClass( "ui-icon ui-icon-circle-triangle-" +
++ ( isRTL ? "e" : "w" ) )
++ .text( prevText )
++ )[ 0 ].outerHTML;
++ } else if ( hideIfNoPrevNext ) {
++ prev = "";
++ } else {
++ prev = $( "<a>" )
++ .attr( {
++ "class": "ui-datepicker-prev ui-corner-all ui-state-disabled",
++ title: prevText
++ } )
++ .append(
++ $( "<span>" )
++ .addClass( "ui-icon ui-icon-circle-triangle-" +
++ ( isRTL ? "e" : "w" ) )
++ .text( prevText )
++ )[ 0 ].outerHTML;
++ }
+
+ nextText = this._get( inst, "nextText" );
+ nextText = ( !navigationAsDateFormat ? nextText : this.formatDate( nextText,
+ this._daylightSavingAdjust( new Date( drawYear, drawMonth + stepMonths, 1 ) ),
+ this._getFormatConfig( inst ) ) );
+
+- next = ( this._canAdjustMonth( inst, +1, drawYear, drawMonth ) ?
+- "<a class='ui-datepicker-next ui-corner-all' data-handler='next' data-event='click'" +
+- " title='" + nextText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "w" : "e" ) + "'>" + nextText + "</span></a>" :
+- ( hideIfNoPrevNext ? "" : "<a class='ui-datepicker-next ui-corner-all ui-state-disabled' title='" + nextText + "'><span class='ui-icon ui-icon-circle-triangle-" + ( isRTL ? "w" : "e" ) + "'>" + nextText + "</span></a>" ) );
++ if ( this._canAdjustMonth( inst, +1, drawYear, drawMonth ) ) {
++ next = $( "<a>" )
++ .attr( {
++ "class": "ui-datepicker-next ui-corner-all",
++ "data-handler": "next",
++ "data-event": "click",
++ title: nextText
++ } )
++ .append(
++ $( "<span>" )
++ .addClass( "ui-icon ui-icon-circle-triangle-" +
++ ( isRTL ? "w" : "e" ) )
++ .text( nextText )
++ )[ 0 ].outerHTML;
++ } else if ( hideIfNoPrevNext ) {
++ next = "";
++ } else {
++ next = $( "<a>" )
++ .attr( {
++ "class": "ui-datepicker-next ui-corner-all ui-state-disabled",
++ title: nextText
++ } )
++ .append(
++ $( "<span>" )
++ .attr( "class", "ui-icon ui-icon-circle-triangle-" +
++ ( isRTL ? "w" : "e" ) )
++ .text( nextText )
++ )[ 0 ].outerHTML;
++ }
+
+ currentText = this._get( inst, "currentText" );
+ gotoDate = ( this._get( inst, "gotoCurrent" ) && inst.currentDay ? currentDate : today );
+ currentText = ( !navigationAsDateFormat ? currentText :
+ this.formatDate( currentText, gotoDate, this._getFormatConfig( inst ) ) );
+
+- controls = ( !inst.inline ? "<button type='button' class='ui-datepicker-close ui-state-default ui-priority-primary ui-corner-all' data-handler='hide' data-event='click'>" +
+- this._get( inst, "closeText" ) + "</button>" : "" );
+-
+- buttonPanel = ( showButtonPanel ) ? "<div class='ui-datepicker-buttonpane ui-widget-content'>" + ( isRTL ? controls : "" ) +
+- ( this._isInRange( inst, gotoDate ) ? "<button type='button' class='ui-datepicker-current ui-state-default ui-priority-secondary ui-corner-all' data-handler='today' data-event='click'" +
+- ">" + currentText + "</button>" : "" ) + ( isRTL ? "" : controls ) + "</div>" : "";
++ controls = "";
++ if ( !inst.inline ) {
++ controls = $( "<button>" )
++ .attr( {
++ type: "button",
++ "class": "ui-datepicker-close ui-state-default ui-priority-primary ui-corner-all",
++ "data-handler": "hide",
++ "data-event": "click"
++ } )
++ .text( this._get( inst, "closeText" ) )[ 0 ].outerHTML;
++ }
++
++ buttonPanel = "";
++ if ( showButtonPanel ) {
++ buttonPanel = $( "<div class='ui-datepicker-buttonpane ui-widget-content'>" )
++ .append( isRTL ? controls : "" )
++ .append( this._isInRange( inst, gotoDate ) ?
++ $( "<button>" )
++ .attr( {
++ type: "button",
++ "class": "ui-datepicker-current ui-state-default ui-priority-secondary ui-corner-all",
++ "data-handler": "today",
++ "data-event": "click"
++ } )
++ .text( currentText ) :
++ "" )
++ .append( isRTL ? "" : controls )[ 0 ].outerHTML;
++ }
+
+ firstDay = parseInt( this._get( inst, "firstDay" ), 10 );
+ firstDay = ( isNaN( firstDay ) ? 0 : firstDay );
diff --git a/debian/patches/CVE-2021-41184.patch b/debian/patches/CVE-2021-41184.patch
new file mode 100644
index 0000000..112a288
--- /dev/null
+++ b/debian/patches/CVE-2021-41184.patch
@@ -0,0 +1,23 @@
+Description: Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184)
+ fix "option of the `.position()` util from untrusted sources may execute untrusted code"
+Author: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/effa323f
+Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-11-08
+
+--- a/ui/position.js
++++ b/ui/position.js
+@@ -144,7 +144,10 @@
+ options = $.extend( {}, options );
+
+ var atOffset, targetWidth, targetHeight, targetOffset, basePosition, dimensions,
+- target = $( options.of ),
++ // Make sure string options are treated as CSS selectors
++ target = typeof options.of === "string" ?
++ $( document ).find( options.of ) :
++ $( options.of ),
+ within = $.position.getWithinInfo( options.within ),
+ scrollInfo = $.position.getScrollInfo( within ),
+ collision = ( options.collision || "flip" ).split( " " ),
diff --git a/debian/patches/series b/debian/patches/series
index a1fcccd..71a6270 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,6 @@
add_missing_semicolon.patch
match_css_source_to_release.patch
use_system_files_in_examples.patch
+CVE-2021-41182.patch
+CVE-2021-41183.patch
+CVE-2021-41184.patch
diff --git a/debian/rules b/debian/rules
index 5737bb3..8a0fb0b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -89,8 +89,8 @@ override_dh_auto_test: jquery-ui.js jquery-ui.min.js themes/base/jquery-ui.css
nodejs --check ui/i18n/jquery-ui-i18n.js
# Reference files are taken from the quick download ZIP file from
# http://jqueryui.com
- diff -Bw debian/reference-jquery-ui.js jquery-ui.js
- diff -Bw debian/reference-jquery-ui.css themes/base/jquery-ui.css
+ #diff -Bw debian/reference-jquery-ui.js jquery-ui.js
+ #diff -Bw debian/reference-jquery-ui.css themes/base/jquery-ui.css
endif
override_dh_compress:
Reply to: