Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-jquery Hi all, node-jquery is vulnerable to prototype pollution (same than #927385 for jQuery, already unblocked). I added the same patch and changed also: * Add upstream/metadata * Add homepage * Upgrade links to https * Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358) * Add patch to make the build reproducible. Thanks to Chris Lamb (Closes: #886001) Reverse dependencies: - node-jquery-ujs (no reverse deps) - node-jquery-textcomplete (no reverse deps) - rainloop (build dependency, no reverse deps) Changes on installed files are just: diff -aburN /usr/lib/nodejs/jquery/dist.old/jquery.js /usr/lib/nodejs/jquery/dist/jquery.js --- /usr/lib/nodejs/jquery/dist.old/jquery.js 2018-06-20 16:22:11.000000000 +0200 +++ /usr/lib/nodejs/jquery/dist/jquery.js 2019-04-23 18:12:00.000000000 +0200 @@ -8,8 +8,6 @@ * Copyright jQuery Foundation and other contributors * Released under the MIT license * http://jquery.org/license - * - * Date: 2018-06-20T15:30Z */ (function( global, factory ) { @@ -210,7 +208,7 @@ copy = options[ name ]; // Prevent never-ending loop - if ( target === copy ) { + if ( name === "__proto__" || target === copy ) { continue; } and of course minified/map files. So I think it is low risky to upgrade node-jquery in Buster. Cheers, Xavier unblock node-jquery/2.2.4+dfsg-4
diff --git a/debian/changelog b/debian/changelog index aedbd29..e4608fc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +node-jquery (2.2.4+dfsg-4) unstable; urgency=medium + + * Team upload + * Add upstream/metadata + * Add homepage + * Upgrade links to https + * Fix prototype pollution vulnerability (Closes: #927466, CVE-2019-11358) + * Add patch to make the build reproducible. Thanks to Chris Lamb + (Closes: #886001) + + -- Xavier Guimard <y...@debian.org> Tue, 23 Apr 2019 18:12:00 +0200 + node-jquery (2.2.4+dfsg-3) unstable; urgency=medium * Bump Standards-Version to 4.1.4 (no changes needed) diff --git a/debian/control b/debian/control index f7fa83b..0954117 100644 --- a/debian/control +++ b/debian/control @@ -17,6 +17,7 @@ Build-Depends: debhelper (>= 11~), Standards-Version: 4.1.4 Vcs-Git: https://salsa.debian.org/js-team/node-jquery.git Vcs-Browser: https://salsa.debian.org/js-team/node-jquery +Homepage: https://jquery.com/ Package: node-jquery Architecture: all diff --git a/debian/copyright b/debian/copyright index 6d8eb44..8ea8dce 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,14 +1,14 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: jquery Upstream-Contact: https://github.com/jquery/jquery/issues -Source: http://github.com/jquery/jquery +Source: https://github.com/jquery/jquery Files-Excluded: dist external Files: * Copyright: © 2011, John Resig © 2011, The Dojo Foundation License: GPL-2+ or MIT -Comment: includes Sizzle.js <http://sizzlejs.com/>, which is +Comment: includes Sizzle.js <https://sizzlejs.com/>, which is © 2011, The Dojo Foundation, and is released under three licenses: GPL-2+, MIT or BSD. I'm including only the first two, since it complies with the rest of node-jquery code. @@ -29,7 +29,7 @@ License: GPL-2+ GNU General Public License for more details. . You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/> + along with this program. If not, see <https://www.gnu.org/licenses/> . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". diff --git a/debian/patches/CVE-2019-11358.diff b/debian/patches/CVE-2019-11358.diff new file mode 100644 index 0000000..9188a95 --- /dev/null +++ b/debian/patches/CVE-2019-11358.diff @@ -0,0 +1,20 @@ +Description: Fix prototype Pollution vulnerability +Author: Michał Gołębiowski-Owczarek <https://github.com/mgol> +Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b +Bug: https://github.com/jquery/jquery/pull/4333 +Bug-Debian: https://bugs.debian.org/927385 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-04-23 + +--- a/src/core.js ++++ b/src/core.js +@@ -157,7 +157,7 @@ + copy = options[ name ]; + + // Prevent never-ending loop +- if ( target === copy ) { ++ if ( name === "__proto__" || target === copy ) { + continue; + } + diff --git a/debian/patches/reproducible-build.patch b/debian/patches/reproducible-build.patch new file mode 100644 index 0000000..1994886 --- /dev/null +++ b/debian/patches/reproducible-build.patch @@ -0,0 +1,15 @@ +Description: Make the build reproducible +Author: Chris Lamb <la...@debian.org> +Last-Update: 2018-01-01 + +--- a/src/intro.js ++++ b/src/intro.js +@@ -8,8 +8,6 @@ + * Copyright jQuery Foundation and other contributors + * Released under the MIT license + * http://jquery.org/license +- * +- * Date: @DATE + */ + + (function( global, factory ) { diff --git a/debian/patches/series b/debian/patches/series index 4b2d73e..bdd8c35 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,4 @@ skip-modules.patch skip-gzip-js.patch +CVE-2019-11358.diff +reproducible-build.patch diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..a65a92c --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/jquery/jquery/issues +Contact: https://github.com/jquery/jquery/issues +Name: jquery +Repository: https://github.com/jquery/jquery.git +Repository-Browse: https://github.com/jquery/jquery