Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected]
[ Reason ] Jquery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. (CVE-2021-41184) [ Impact ] Medium security issue [ Tests ] No test launched for this package. [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just a security check Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index e137315..48b298f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium + + * Team upload + * Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184) + + -- Yadd <[email protected]> Mon, 08 Nov 2021 11:00:00 +0100 + jqueryui (1.12.1+dfsg-8) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-41184.patch b/debian/patches/CVE-2021-41184.patch new file mode 100644 index 0000000..112a288 --- /dev/null +++ b/debian/patches/CVE-2021-41184.patch @@ -0,0 +1,23 @@ +Description: Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184) + fix "option of the `.position()` util from untrusted sources may execute untrusted code" +Author: Michał Gołębiowski-Owczarek <[email protected]> +Origin: upstream, https://github.com/jquery/jquery-ui/commit/effa323f +Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-11-08 + +--- a/ui/position.js ++++ b/ui/position.js +@@ -144,7 +144,10 @@ + options = $.extend( {}, options ); + + var atOffset, targetWidth, targetHeight, targetOffset, basePosition, dimensions, +- target = $( options.of ), ++ // Make sure string options are treated as CSS selectors ++ target = typeof options.of === "string" ? ++ $( document ).find( options.of ) : ++ $( options.of ), + within = $.position.getWithinInfo( options.within ), + scrollInfo = $.position.getScrollInfo( within ), + collision = ( options.collision || "flip" ).split( " " ), diff --git a/debian/patches/series b/debian/patches/series index a1fcccd..b2738aa 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ add_missing_semicolon.patch match_css_source_to_release.patch use_system_files_in_examples.patch +CVE-2021-41184.patch
