-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello.
I've prepared security update for dojo. Please review and upload. Debdiff is attached. Its a trivial patch to escape quotes. Thanks Abhijith PA -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAluM38kACgkQhj1N8u2c KO+pjQ/8D3qvrnlOKZUrZPZK7/4LNzTcegAhAe2ojW5gLagw2TbtTWxxcgYh3mTw dR5WYQXLO9A83yrFHfTn2aLwufxFS5qXyQ8gDOw3bcjQFMqVFM3m3MUy6bFs82EW UUS9i18a+HaTFB3bpMJZOiwtfSlIROueYSdl4k8LyMGSUqGwYB2xeYyNNjUuJ6yp CmRPt4QXAdZmfeFolrJzshiBzuLsQVkeYoyBbzzRN0O8ra9iXKfg/hrVm7ChKsa9 bQkzgKVqSlb5kQviF1zlEkoOHVF8FBvxgPacO7gKdMFDlhrXGsvb5svp5vRtpYom oQQ9ruWdBOKz9UtzrTnVYyhWEziYPYUv0iKhzG+fR+kVN8YEXGvvx09FUQ6tzEXu jBHixdiGdJUPCAEwyj7RGG7+WXlXeONL0lgnKrUd0i2SFDjWLKyZGCIVnyN3XKzt eUruY3j3kuO1TDhugmigzeM/0mxQWVWTq8YbmB1xf8/MifakRNRxhvYxrm7N5pdD zeybMV/PVlxEl8TkWC5KmkGWAH/issM8LCOJFIgBAgCTGpWUOIlAJPUArp0evGYA a/Rb9D4YzuRDPhles+qxTGCqKsGCgFVV2Q5oHrwxbAVxEC2Um9FFbLgH0LSPMgQA vKrCMIIHL0m//Q65fLNI2RYeK7noJYM2Lm9VoPIsU1QmbkWhusQ= =vMWk -----END PGP SIGNATURE-----
diff -Nru dojo-1.10.2+dfsg/debian/changelog dojo-1.10.2+dfsg/debian/changelog --- dojo-1.10.2+dfsg/debian/changelog 2014-10-20 18:38:48.000000000 +0200 +++ dojo-1.10.2+dfsg/debian/changelog 2018-09-03 08:47:12.000000000 +0200 @@ -1,3 +1,11 @@ +dojo (1.10.2+dfsg-1+deb8u1) jessie-security; urgency=medium + + * Non-maintainer upload by the Debian LTS Team + * Fix CVE-2018-15494: unescaped string injection in dojox/Grid/DataGrid + (Closes: #906540) + + -- Abhijith PA <[email protected]> Mon, 03 Sep 2018 12:17:12 +0530 + dojo (1.10.2+dfsg-1) unstable; urgency=medium [ Colin Snover ] diff -Nru dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch --- dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch 1970-01-01 01:00:00.000000000 +0100 +++ dojo-1.10.2+dfsg/debian/patches/CVE-2018-15494.patch 2018-09-03 08:47:12.000000000 +0200 @@ -0,0 +1,22 @@ +Description: CVE-2018-15494 + Escape the quotes to avoid injection in dojox/Grid/DataGrid. + +--- +Author: Abhijith PA <[email protected]> +Origin: https://github.com/dojo/dojox/pull/283/files/e92ee87750af8fbc7e474bb8e8661821aa9f88fa +Bug-Debian: https://bugs.debian.org/906540 +Last-Update: 2018-09-03 + +--- dojo-1.10.2+dfsg.orig/dojox/grid/cells/_base.js ++++ dojo-1.10.2+dfsg/dojox/grid/cells/_base.js +@@ -329,6 +329,10 @@ define([ + keyFilter: null, + formatEditing: function(inDatum, inRowIndex){ + this.needFormatNode(inDatum, inRowIndex); ++ if (inDatum && inDatum.replace) { ++ // escape quotes to avoid XSS ++ inDatum = inDatum.replace(/"/g, '"') ++ } + return '<input class="dojoxGridInput" type="text" value="' + inDatum + '">'; + }, + formatNode: function(inNode, inDatum, inRowIndex){ diff -Nru dojo-1.10.2+dfsg/debian/patches/series dojo-1.10.2+dfsg/debian/patches/series --- dojo-1.10.2+dfsg/debian/patches/series 2014-10-20 18:33:56.000000000 +0200 +++ dojo-1.10.2+dfsg/debian/patches/series 2018-09-03 08:47:12.000000000 +0200 @@ -1 +1,2 @@ 0001-Use-nodejs-instead-of-node.patch +CVE-2018-15494.patch
