Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
From: Yadd <yadd@debian.org>
Date: Mon, 08 Nov 2021 12:27:03 +0100
Message-id: <[🔎] 163637082354.933741.16217072816453355037.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 998832@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-devel@lists-alith.debian.net

[ Reason ]
Jquery-UI is the official jQuery user interface library. Prior to version
1.13.0, accepting the value of the `of` option of the `.position()` util
from untrusted sources may execute untrusted code. The issue is fixed in
jQuery UI 1.13.0. Any string value passed to the `of` option is now treated
as a CSS selector. A workaround is to not accept the value of the `of`
option from untrusted sources. (CVE-2021-41184)

[ Impact ]
Medium security issue

[ Tests ]
No test launched for this package.

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just a security check

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index e137315..48b298f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184)
+
+ -- Yadd <yadd@debian.org>  Mon, 08 Nov 2021 11:00:00 +0100
+
 jqueryui (1.12.1+dfsg-8) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-41184.patch b/debian/patches/CVE-2021-41184.patch
new file mode 100644
index 0000000..112a288
--- /dev/null
+++ b/debian/patches/CVE-2021-41184.patch
@@ -0,0 +1,23 @@
+Description: Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184)
+ fix "option of the `.position()` util from untrusted sources may execute untrusted code"
+Author: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/effa323f
+Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-11-08
+
+--- a/ui/position.js
++++ b/ui/position.js
+@@ -144,7 +144,10 @@
+ 	options = $.extend( {}, options );
+ 
+ 	var atOffset, targetWidth, targetHeight, targetOffset, basePosition, dimensions,
+-		target = $( options.of ),
++		// Make sure string options are treated as CSS selectors
++		target = typeof options.of === "string" ?
++			$( document ).find( options.of ) :
++			$( options.of ),
+ 		within = $.position.getWithinInfo( options.within ),
+ 		scrollInfo = $.position.getScrollInfo( within ),
+ 		collision = ( options.collision || "flip" ).split( " " ),
diff --git a/debian/patches/series b/debian/patches/series
index a1fcccd..b2738aa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 add_missing_semicolon.patch
 match_css_source_to_release.patch
 use_system_files_in_examples.patch
+CVE-2021-41184.patch

Reply to:

Follow-Ups:
- Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#998067: transition: libsepol and libsemanage
Next by Date: Processed: Re: Bug#998192: release.debian.org: Transition for gsl-2.7 / libgsl26
Previous by thread: Bug#998057: Bioc-transition has started (Was: Re: Bug#998057: transition: r-api-bioc-3.14)
Next by thread: Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
Index(es):
- Date
- Thread