Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, dojo is vulnerable to Cross-site Scripting. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. This upstream patch fixes this issue Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 14447b52..0e5dc462 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium + + * Team upload + * Cleanup improper regex usage (Closes: #952771, 2019, 10785) + + -- Xavier Guimard <y...@debian.org> Sat, 29 Feb 2020 09:07:02 +0100 + dojo (1.15.0+dfsg1-1) unstable; urgency=medium * New upstream version : diff --git a/debian/patches/CVE-2019-10785.patch b/debian/patches/CVE-2019-10785.patch new file mode 100644 index 00000000..67ab40f2 --- /dev/null +++ b/debian/patches/CVE-2019-10785.patch @@ -0,0 +1,45 @@ +Description: Cleanup improper regex usage +Author: Paul <p...@sitepen.com> +Origin: upstream, https://github.com/dojo/dojox/pull/317 +Bug: https://github.com/dojo/dojox/pull/315 +Bug-Debian: https://bugs.debian.org/952771 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-02-29 + +--- a/dojox/dtl/dom.js ++++ b/dojox/dtl/dom.js +@@ -94,7 +94,7 @@ define([ + var replacement = ""; + for(var p = 2, pl = pair.length; p < pl; p++){ + if(p == 2){ +- replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace('"', '\\"') + ' %}">'; ++ replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace(/"/g, '\\"') + ' %}">'; + }else if(tag == pair[p]) { + continue; + }else{ +--- a/dojox/widget/RollingList.js ++++ b/dojox/widget/RollingList.js +@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList", + widgetItem.store = this.store; + widgetItem.item = item; + if(!widgetItem.label){ +- widgetItem.attr("label", this.store.getLabel(item).replace(/</,"<")); ++ widgetItem.attr("label", this.store.getLabel(item).replace(/</g,"<")); + } + if(widgetItem.focusNode){ + var self = this; +--- a/dojox/xmpp/util.js ++++ b/dojox/xmpp/util.js +@@ -3,10 +3,7 @@ dojo.require("dojox.string.Builder"); + dojo.require("dojox.encoding.base64"); + + dojox.xmpp.util.xmlEncode = function(str) { +- if(str) { +- str = str.replace("&", "&").replace(">", ">").replace("<", "<").replace("'", "'").replace('"', """); +- } +- return str; ++ return dojo.string.escape(str); + }; + + dojox.xmpp.util.encodeJid = function(jid) { diff --git a/debian/patches/series b/debian/patches/series index f39e7f29..6051ed59 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-Compatibility-patch-for-newer-rhino.patch 0002-Do-notrun-test-suite-in-build.patch 0003-Disable-flash-storage.patch +#CVE-2019-10785.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel