subject:"Bug#1036977\: bullseye\-pu\: package jqueryui\/1.12.1\+dfsg\-8\+deb11u2"

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

2023-10-08 Thread Yadd


On 10/8/23 16:04, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

2023-10-08 Thread Jonathan Wiltshire

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

2023-06-17 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Wed, 2023-05-31 at 15:13 +0400, Yadd wrote:
> jqueryui is potentially vulnerable to cross-site scripting
> (CVE-2022-31160)
> 

Please go ahead.

Regards,

Adam

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

2023-05-31 Thread Yadd


On 5/31/23 23:30, Salvatore Bonaccorso wrote:

Hi Yadd,

On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote:

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui

[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)

[ Impact ]
Low security issue

[ Tests ]
Sadly tests are minimal in this package. Anyway passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
   [X] *all* changes are documented in the d/changelog
   [X] I reviewed all changes and I approve them
   [X] attach debdiff against the package in (old)stable
   [X] the issue is verified as fixed in unstable

[ Changes ]
Don't accept label outside of the root element

Cheers,
Yadd



diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
CVE-2022-31160)
+
+ -- Yadd   Wed, 31 May 2023 15:08:55 +0400


Minor thing, you could as well close #1015982 with the upload.


Hi,

sure, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog
index 3a6a587..dc02159 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML
+(Closes: #1015982, CVE-2022-31160)
+
+ -- Yadd   Thu, 01 Jun 2023 06:50:09 +0400
+
 jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-31160.patch 
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 000..8f5238d
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,157 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek 
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug: 
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Bug-Debian: https://bugs.debian.org/1015982
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
 b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ 
+   
+ 
++
++  
++  Hi, I'm a label
++
++
++  
++  Hi, I'm a label
++
++
++  
++  emHi, I'm a label/em
++
+ 
+ 
+ 
+--- a/tests/unit/checkboxradio/core.js
 b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+   );
+ } );
+ 
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++  labelWithoutInput.html().trim(),
++  expectedLabel.trim(),
++  "Label correct [" + id + "]"
++  );
++  } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
 b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+   assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input 
preserved" );
+ } );
+ 
++QUnit.test( "Initial text label not turned to HTML on refresh", function( 
assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

2023-05-31 Thread Salvatore Bonaccorso

Hi Yadd,

On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: jquer...@packages.debian.org
> Control: affects -1 + src:jqueryui
> 
> [ Reason ]
> jqueryui is potentially vulnerable to cross-site scripting
> (CVE-2022-31160)
> 
> [ Impact ]
> Low security issue
> 
> [ Tests ]
> Sadly tests are minimal in this package. Anyway passed
> 
> [ Risks ]
> Low risk, patch is trivial
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Don't accept label outside of the root element
> 
> Cheers,
> Yadd

> diff --git a/debian/changelog b/debian/changelog
> index 3a6a587..9b1e9cc 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
> +
> +  * Team upload
> +  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
> CVE-2022-31160)
> +
> + -- Yadd   Wed, 31 May 2023 15:08:55 +0400

Minor thing, you could as well close #1015982 with the upload.

Regards,
Salvatore

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

2023-05-31 Thread Yadd

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui

[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)

[ Impact ]
Low security issue

[ Tests ]
Sadly tests are minimal in this package. Anyway passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't accept label outside of the root element

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
CVE-2022-31160)
+
+ -- Yadd   Wed, 31 May 2023 15:08:55 +0400
+
 jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-31160.patch 
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 000..11d7baa
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,156 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek 
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug: 
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
 b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ 
+   
+ 
++
++  
++  Hi, I'm a label
++
++
++  
++  Hi, I'm a label
++
++
++  
++  emHi, I'm a label/em
++
+ 
+ 
+ 
+--- a/tests/unit/checkboxradio/core.js
 b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+   );
+ } );
+ 
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++  labelWithoutInput.html().trim(),
++  expectedLabel.trim(),
++  "Label correct [" + id + "]"
++  );
++  } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
 b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+   assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input 
preserved" );
+ } );
+ 
++QUnit.test( "Initial text label not turned to HTML on refresh", function( 
assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++  inputElem.checkboxradio( "refresh" );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++  labelWithoutInput.html().trim(),
++  expectedLabel.trim(),
++  "Label correct [" + id + "]"
++  );
++  } );
++} );
++
+ } );
+---

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

6 matches

Site Navigation

Mail list logo

Footer information