Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
On 10/8/23 16:04, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Control: tags -1 + confirmed On Wed, 2023-05-31 at 15:13 +0400, Yadd wrote: > jqueryui is potentially vulnerable to cross-site scripting > (CVE-2022-31160) > Please go ahead. Regards, Adam
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
On 5/31/23 23:30, Salvatore Bonaccorso wrote: Hi Yadd, On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote: Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jquer...@packages.debian.org Control: affects -1 + src:jqueryui [ Reason ] jqueryui is potentially vulnerable to cross-site scripting (CVE-2022-31160) [ Impact ] Low security issue [ Tests ] Sadly tests are minimal in this package. Anyway passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't accept label outside of the root element Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3a6a587..9b1e9cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: CVE-2022-31160) + + -- Yadd Wed, 31 May 2023 15:08:55 +0400 Minor thing, you could as well close #1015982 with the upload. Hi, sure, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog index 3a6a587..dc02159 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML +(Closes: #1015982, CVE-2022-31160) + + -- Yadd Thu, 01 Jun 2023 06:50:09 +0400 + jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-31160.patch b/debian/patches/CVE-2022-31160.patch new file mode 100644 index 000..8f5238d --- /dev/null +++ b/debian/patches/CVE-2022-31160.patch @@ -0,0 +1,157 @@ +Description: Checkboxradio: Don't re-evaluate text labels as HTML +Author: Michał Gołębiowski-Owczarek +Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1 +Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 +Bug-Debian: https://bugs.debian.org/1015982 +Forwarded: not-needed +Applied-Upstream: 1.13.2, commit:8cc5bae1 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/tests/unit/checkboxradio/checkboxradio.html b/tests/unit/checkboxradio/checkboxradio.html +@@ -64,6 +64,18 @@ + + + ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ emHi, I'm a label/em ++ + + + +--- a/tests/unit/checkboxradio/core.js b/tests/unit/checkboxradio/core.js +@@ -135,4 +135,41 @@ + ); + } ); + ++QUnit.test( "Inheriting label from initial HTML", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a label/em" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/tests/unit/checkboxradio/methods.js b/tests/unit/checkboxradio/methods.js +@@ -94,4 +94,42 @@ + assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" ); + } ); + ++QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a label/em" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Hi Yadd, On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: jquer...@packages.debian.org > Control: affects -1 + src:jqueryui > > [ Reason ] > jqueryui is potentially vulnerable to cross-site scripting > (CVE-2022-31160) > > [ Impact ] > Low security issue > > [ Tests ] > Sadly tests are minimal in this package. Anyway passed > > [ Risks ] > Low risk, patch is trivial > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Don't accept label outside of the root element > > Cheers, > Yadd > diff --git a/debian/changelog b/debian/changelog > index 3a6a587..9b1e9cc 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,10 @@ > +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium > + > + * Team upload > + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: > CVE-2022-31160) > + > + -- Yadd Wed, 31 May 2023 15:08:55 +0400 Minor thing, you could as well close #1015982 with the upload. Regards, Salvatore
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jquer...@packages.debian.org Control: affects -1 + src:jqueryui [ Reason ] jqueryui is potentially vulnerable to cross-site scripting (CVE-2022-31160) [ Impact ] Low security issue [ Tests ] Sadly tests are minimal in this package. Anyway passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't accept label outside of the root element Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3a6a587..9b1e9cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: CVE-2022-31160) + + -- Yadd Wed, 31 May 2023 15:08:55 +0400 + jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-31160.patch b/debian/patches/CVE-2022-31160.patch new file mode 100644 index 000..11d7baa --- /dev/null +++ b/debian/patches/CVE-2022-31160.patch @@ -0,0 +1,156 @@ +Description: Checkboxradio: Don't re-evaluate text labels as HTML +Author: Michał Gołębiowski-Owczarek +Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1 +Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 +Forwarded: not-needed +Applied-Upstream: 1.13.2, commit:8cc5bae1 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/tests/unit/checkboxradio/checkboxradio.html b/tests/unit/checkboxradio/checkboxradio.html +@@ -64,6 +64,18 @@ + + + ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ emHi, I'm a label/em ++ + + + +--- a/tests/unit/checkboxradio/core.js b/tests/unit/checkboxradio/core.js +@@ -135,4 +135,41 @@ + ); + } ); + ++QUnit.test( "Inheriting label from initial HTML", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a label/em" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/tests/unit/checkboxradio/methods.js b/tests/unit/checkboxradio/methods.js +@@ -94,4 +94,42 @@ + assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" ); + } ); + ++QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a label/em" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ inputElem.checkboxradio( "refresh" ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +---