From: Ankur Tyagi <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2026-46625
Signed-off-by: Ankur Tyagi <[email protected]> --- .../libjs-jquery-cookie/CVE-2026-46625.patch | 63 +++++++++++++++++++ .../libjs/libjs-jquery-cookie_3.0.5.bb | 4 +- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch diff --git a/meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch b/meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch new file mode 100644 index 0000000000..973e12fc79 --- /dev/null +++ b/meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch @@ -0,0 +1,63 @@ +From 808905ea1bb4582bcfd681ba1bb8a1c1d1113b40 Mon Sep 17 00:00:00 2001 +From: Klaus Hartl <[email protected]> +Date: Fri, 15 May 2026 11:23:44 +0200 +Subject: [PATCH] Prevent cookie attribute injection + +Given that we are using a `for ... in` loop for assembling a cookie's +attributes required for writing/removing, we are vulnerable to prototype +pollution, where an attacker might attempt to add/overwrite certain +attributes and with that broadening access or wiping out a cookie +altogether. + +Such malicious attributes input could most likely come from an object +parsed from a JSON string; for example looking like +'{"__proto__":{"samesite":"None"}}'. + +Note that at the moment we're tied to using this kind of for-loop for +compatibility with IE 10 + 11. + +(cherry picked from commit eb3c40e89731e99b8970faaf35ddad249c6c0020) + +CVE: CVE-2026-46625 +Upstream-Status: Backport [https://github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020] +Signed-off-by: Ankur Tyagi <[email protected]> +--- + src/assign.mjs | 1 + + test/tests.js | 12 ++++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/src/assign.mjs b/src/assign.mjs +index 2934ff3..a0e55f1 100644 +--- a/src/assign.mjs ++++ b/src/assign.mjs +@@ -3,6 +3,7 @@ export default function (target) { + for (var i = 1; i < arguments.length; i++) { + var source = arguments[i] + for (var key in source) { ++ if (key === '__proto__') continue + target[key] = source[key] + } + } +diff --git a/test/tests.js b/test/tests.js +index da65d74..c3ab54e 100644 +--- a/test/tests.js ++++ b/test/tests.js +@@ -489,6 +489,18 @@ QUnit.test( + } + ) + ++QUnit.test( ++ 'sanitization of attributes to prevent prototype pollution from untrusted input', ++ function (assert) { ++ var untrusted = JSON.parse('{"__proto__":{"foo":"bar"}}') ++ assert.strictEqual( ++ Cookies.set('c', 'v', untrusted), ++ 'c=v; path=/', ++ 'should prevent attribute-injection via prototype pollution' ++ ) ++ } ++) ++ + QUnit.module('remove', lifecycle) + + QUnit.test('deletion', function (assert) { diff --git a/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb b/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb index f4e26a65fc..3740d9c16e 100644 --- a/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb +++ b/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb @@ -3,7 +3,9 @@ HOMEPAGE = "https://github.com/js-cookie/js-cookie"; LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=e16cf0e247d84f8999bf55865a9c98cf" -SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main" +SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main \ + file://CVE-2026-46625.patch \ +" SRCREV = "ab3f67fc4fad88cdf07b258c08e4164e06bf7506"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#127560): https://lists.openembedded.org/g/openembedded-devel/message/127560 Mute This Topic: https://lists.openembedded.org/mt/119785707/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
