Bug#984896: buster-pu: package jquery/3.3.1~dfsg-3

[Roberto C . Sánchez]

On Wed, Mar 17, 2021 at 07:39:08PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Tue, 2021-03-09 at 18:08 -0500, Roberto C. Sanchez wrote:
> > I would like to fix CVE-2020-11022 and CVE-2020-11023.  The same fix
> > has
> > been prepared for stretch and will be uploaded concurrently with the
> > buster fix.  The security team has marked these issues as no-dsa.
> > 
> 
> Please go ahead.
> 
Thanks!  (Also thanks for the additional prod).  I have just uploaded.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Bug#984896: buster-pu: package jquery/3.3.1~dfsg-3

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2021-03-09 at 18:08 -0500, Roberto C. Sanchez wrote:
> I would like to fix CVE-2020-11022 and CVE-2020-11023.  The same fix
> has
> been prepared for stretch and will be uploaded concurrently with the
> buster fix.  The security team has marked these issues as no-dsa.
> 

Please go ahead.

Regards,

Adam

Bug#984896: buster-pu: package jquery/3.3.1~dfsg-3

[Roberto C. Sanchez]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Release Team,

[ Reason ]

I would like to fix CVE-2020-11022 and CVE-2020-11023.  The same fix has
been prepared for stretch and will be uploaded concurrently with the
buster fix.  The security team has marked these issues as no-dsa.

[ Impact ]

jquery would be vulnerable if not approved.

[ Tests ]

Backported patch was reviewed and approved by the Debian package
maintainers.  Sadly, no reproducers were released.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them, along with the
  maintainers of jquery
  [x] attach debdiff against the package in (old)stable
  [N/A] the issue is verified as fixed in unstable (jquery is not
present in unstable/testing)

Regards,

- -Roberto

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEIYZ1DR4ae5UL01q7ldFmTdL1kUIFAmBH//4ACgkQldFmTdL1
kULu7w/+KzQq0SMV/rDPj/BUs+wyoeqGfvLiMhOcA019wDblB17wW2x/4kWQWCMa
75tXD7kep+6b1lLNBPj75fcC9xHNiV9XTGgAwViHOBQ85bxfbc1Zi0YEnXfrgjeG
vi1xtHeLUNgDrCG/+UQP8qJn7+asURfism9v1WhmH93jd8+J9AleHOvUR0WjUVz2
tKIHXPBNQ0yDbJO34HXzvXio7IvJxXlNZ+ivK0AlUQVwam1LThy+tCk4hob8NXQg
JGvomGG/GDbMnQ/yNMc3IRHVDas0nLbmaa026kcHE05pQjhdPYOYckL/Jl5MW84s
5L+foc1dfAi7A4a3Bo898FDkaJqD41VCAgKjUbjD0aBc38D310ksqGlep3scOqn0
uX5GUCWcvTg05OHCKGrd28YyYckUDDRaL1Ln0MtSfYGQGgG3DyXqAGpAPCxA6PeW
gGMuBDy3t68kkCQoAqYzqkpn/oTS+3T6LWm35/c2X5FJAChM9gsDAaJ3IaofX84x
pzPu6VX7O3cPLMaV7cBKj4Ix85iBdKNHKRZlbruiCxRtzWgiMyyDLhsaj4Fbp989
hWddYqdb6Wj01CCAoDkHvsfg6GuSd/WGiEt1MCP0EqDUQ6WRJjmugELCThYj7c3U
PXxNmveHtehpN7+5MG1lNlLJ8hLydLS5CfphwwCrsOF2+MfRzRk=
=WoIV
-END PGP SIGNATURE-
diff -Nru jquery-3.3.1~dfsg/debian/changelog jquery-3.3.1~dfsg/debian/changelog
--- jquery-3.3.1~dfsg/debian/changelog  2019-04-19 02:52:35.0 -0400
+++ jquery-3.3.1~dfsg/debian/changelog  2021-03-09 14:42:16.0 -0500
@@ -1,3 +1,13 @@
+jquery (3.3.1~dfsg-3+deb10u1) buster; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Prevent untrusted code execution when passing untrusted HTML to DOM
+manipulation methods.  (CVE-2020-11022)
+  * Prevent untrusted code execution when passing HTML containing 
+elements to DOM manipulation methods.  (CVE-2020-11023)
+
+ -- Roberto C. Sánchez   Tue, 09 Mar 2021 14:42:16 -0500
+
 jquery (3.3.1~dfsg-3) unstable; urgency=medium
 
   * Team upload
diff -Nru jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch 
jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch
--- jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch   1969-12-31 
19:00:00.0 -0500
+++ jquery-3.3.1~dfsg/debian/patches/CVE-2020-11022.patch   2021-03-09 
14:42:16.0 -0500
@@ -0,0 +1,1749 @@
+From 1d61fd9407e6fbe82fe55cb0b938307aa0791f77 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?=
+ 
+Date: Mon, 16 Mar 2020 21:49:29 +0100
+Subject: [PATCH] Manipulation: Make jQuery.htmlPrefilter an identity function
+
+Closes gh-4642
+
+(cherry picked from 90fed4b453a5becdb7f173d9e3c1492390a1441f)
+---
+ src/manipulation.js   |   9 +--
+ test/data/testinit.js |   2 +-
+ test/localfile.html   |   2 +-
+ test/unit/ajax.js |   8 +--
+ test/unit/attributes.js   |  46 ++---
+ test/unit/basic.js|  24 +++
+ test/unit/core.js |  14 ++--
+ test/unit/css.js  | 112 +++
+ test/unit/data.js |  20 +++---
+ test/unit/deprecated.js   |   2 +-
+ test/unit/dimensions.js   |  30 -
+ test/unit/effects.js  |  22 +++---
+ test/unit/event.js|  26 +++
+ test/unit/manipulation.js | 138 ++
+ test/unit/offset.js   |  10 +--
+ test/unit/selector.js |   4 +-
+ test/unit/traversing.js   |  22 +++---
+ test/unit/wrap.js |  12 ++--
+ 18 files changed, 246 insertions(+), 257 deletions(-)
+
+--- a/src/manipulation.js
 b/src/manipulation.js
+@@ -32,13 +32,6 @@
+ 
+ var
+ 
+-  /* eslint-disable max-len */
+-
+-  // See https://github.com/eslint/eslint/issues/3229
+-  rxhtmlTag = 
/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([a-z][^\/\0>\x20\t\r\n\f]*)[^>]*)\/>/gi,
+-
+-  /* eslint-enable */
+-
+   // Support: IE <=10 - 11, Edge 12 - 13 only
+   // In IE/Edge using regex groups here causes severe slowdowns.
+   // See https://connect.microsoft.com/IE/feedback/details/1736512/
+@@ -235,7 +228,7 @@
+ 
+ jQuery.extend( {
+   htmlPrefilter: function( html ) {
+-  return html.replace( rxhtmlTag, "<$1>" );
++  return html;
+   },
+ 
+   clone: function( elem, dataAndEvents, deepDataAndEvents ) {
+--- a/test/data/testinit.js
 b/test/data/testinit.js
+@@ -244,7 +244,7 @@
+   }
+   wrapper.call( QUnit, title, function( assert ) {
+   var done = assert.async(),
+-