Your message dated Sat, 10 Feb 2024 13:02:55 +0000
with message-id <[email protected]>
and subject line Released with 11.9
has caused the Debian Bug report #1036977,
regarding bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1036977: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036977
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:jqueryui
[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)
[ Impact ]
Low security issue
[ Tests ]
Sadly tests are minimal in this package. Anyway passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Don't accept label outside of the root element
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Checkboxradio: Don't re-evaluate text labels as HTML (Closes:
CVE-2022-31160)
+
+ -- Yadd <[email protected]> Wed, 31 May 2023 15:08:55 +0400
+
jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-31160.patch
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 0000000..11d7baa
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,156 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek <[email protected]>
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd <[email protected]>
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
++++ b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ <label>
+ <input type="checkbox" id="label-with-no-for"/>
+ </label>
++<label>
++ <input type="checkbox" id="label-with-no-for-with-html"/>
++ <strong>Hi</strong>, <em>I'm a label</em>
++</label>
++<label>
++ <input type="checkbox" id="label-with-no-for-with-text"/>
++ Hi, I'm a label
++</label>
++<label>
++ <input type="checkbox" id="label-with-no-for-with-html-like-text"/>
++ <em>Hi, I'm a label</em>
++</label>
+
+ <form id="form3"></form>
+ <input type="radio" name="crazy-form" id="crazy-form-1" form="form3"
checked="checked">
+--- a/tests/unit/checkboxradio/core.js
++++ b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+ );
+ } );
+
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "<strong>Hi</strong>, <em>I'm a
label</em>"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "<em>Hi, I'm a label</em>"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var expectedLabel = testData.expectedLabel;
++ var inputElem = $( "#" + id );
++ var labelElem = inputElem.parent();
++
++ inputElem.checkboxradio( { icon: false } );
++
++ var labelWithoutInput = labelElem.clone();
++ labelWithoutInput.find( "input" ).remove();
++
++ assert.strictEqual(
++ labelWithoutInput.html().trim(),
++ expectedLabel.trim(),
++ "Label correct [" + id + "]"
++ );
++ } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
++++ b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+ assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input
preserved" );
+ } );
+
++QUnit.test( "Initial text label not turned to HTML on refresh", function(
assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "<strong>Hi</strong>, <em>I'm a
label</em>"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "<em>Hi, I'm a label</em>"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var expectedLabel = testData.expectedLabel;
++ var inputElem = $( "#" + id );
++ var labelElem = inputElem.parent();
++
++ inputElem.checkboxradio( { icon: false } );
++ inputElem.checkboxradio( "refresh" );
++
++ var labelWithoutInput = labelElem.clone();
++ labelWithoutInput.find( "input" ).remove();
++
++ assert.strictEqual(
++ labelWithoutInput.html().trim(),
++ expectedLabel.trim(),
++ "Label correct [" + id + "]"
++ );
++ } );
++} );
++
+ } );
+--- a/ui/widgets/checkboxradio.js
++++ b/ui/widgets/checkboxradio.js
+@@ -48,8 +48,7 @@
+ },
+
+ _getCreateOptions: function() {
+- var disabled, labels;
+- var that = this;
++ var disabled, labels, labelContents;
+ var options = this._super() || {};
+
+ // We read the type here, because it makes more sense to throw
a element type error first,
+@@ -69,12 +68,18 @@
+
+ // We need to get the label text but this may also need to make
sure it does not contain the
+ // input itself.
+- this.label.contents().not( this.element[ 0 ] ).each( function()
{
+-
+- // The label contents could be text, html, or a mix. We
concat each element to get a
+- // string representation of the label, without the
input as part of it.
+- that.originalLabel += this.nodeType === 3 ? $( this
).text() : this.outerHTML;
+- } );
++ // The label contents could be text, html, or a mix. We wrap
all elements
++ // and read the wrapper's `innerHTML` to get a string
representation of
++ // the label, without the input as part of it.
++ labelContents = this.label.contents().not( this.element[ 0 ] );
++
++ if ( labelContents.length ) {
++ this.originalLabel += labelContents
++ .clone()
++ .wrapAll( "<div></div>" )
++ .parent()
++ .html();
++ }
+
+ // Set the label option if we found label text
+ if ( this.originalLabel ) {
diff --git a/debian/patches/series b/debian/patches/series
index 71a6270..f06c833 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ use_system_files_in_examples.patch
CVE-2021-41182.patch
CVE-2021-41183.patch
CVE-2021-41184.patch
+CVE-2022-31160.patch
--- End Message ---
--- Begin Message ---
Version: 11.9
The upload requested in this bug has been released as part of 11.9.
--- End Message ---
