Bug#953614: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2

2020-07-31 Thread Xavier 
Le 31/07/2020 à 10:27, Salvatore Bonaccorso a écrit :
> Hi Xavier,
> 
> On Fri, May 08, 2020 at 02:09:41PM +0200, Salvatore Bonaccorso wrote:
>> Hi Xavier,
>>
>> On Sat, Apr 25, 2020 at 07:24:14PM +0100, Adam D. Barratt wrote:
>>> Control: tags -1 + confirmed
>>>
>>> On Wed, 2020-03-11 at 06:22 +0100, Xavier Guimard wrote:
 2 new vulnerabilities have been published for dojo: prototype
 pollutions. I imported the 2 upstream fixes here.

>>>
>>> Please go ahead.
>>
>> Did you saw the acknowledgement from Adam? Unfortunately it's now to
>> late for the inclusion in 10.4 for tomorrow though.
> 
> Did you recieved the message from Adam?

Hi,

sorry, I didn't see it. Pushed just now, thanks !

Bug#953614: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2

2020-07-31 Thread Salvatore Bonaccorso 
Hi Xavier,

On Fri, May 08, 2020 at 02:09:41PM +0200, Salvatore Bonaccorso wrote:
> Hi Xavier,
> 
> On Sat, Apr 25, 2020 at 07:24:14PM +0100, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Wed, 2020-03-11 at 06:22 +0100, Xavier Guimard wrote:
> > > 2 new vulnerabilities have been published for dojo: prototype
> > > pollutions. I imported the 2 upstream fixes here.
> > > 
> > 
> > Please go ahead.
> 
> Did you saw the acknowledgement from Adam? Unfortunately it's now to
> late for the inclusion in 10.4 for tomorrow though.

Did you recieved the message from Adam?

Regards,
Salvatore

Bug#953614: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2

2020-05-08 Thread Salvatore Bonaccorso 
Hi Xavier,

On Sat, Apr 25, 2020 at 07:24:14PM +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2020-03-11 at 06:22 +0100, Xavier Guimard wrote:
> > 2 new vulnerabilities have been published for dojo: prototype
> > pollutions. I imported the 2 upstream fixes here.
> > 
> 
> Please go ahead.

Did you saw the acknowledgement from Adam? Unfortunately it's now to
late for the inclusion in 10.4 for tomorrow though.

Regards,
Salvatore

Bug#953614: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2

2020-04-25 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2020-03-11 at 06:22 +0100, Xavier Guimard wrote:
> 2 new vulnerabilities have been published for dojo: prototype
> pollutions. I imported the 2 upstream fixes here.
> 

Please go ahead.

Regards,

Adam

Bug#953614: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2

2020-03-10 Thread Xavier Guimard 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

2 new vulnerabilities have been published for dojo: prototype
pollutions. I imported the 2 upstream fixes here.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index f2dfbd6c..d4aae875 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution in deepCopy method (Closes: #953585,
+CVE-2020-5258)
+  * Fix Prototype Pollution in jqMix method (Closes: #953587, CVE-2020-5259)
+
+ -- Xavier Guimard   Wed, 11 Mar 2020 06:18:23 +0100
+
 dojo (1.14.2+dfsg1-1+deb10u1) buster; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2020-5258.diff 
b/debian/patches/CVE-2020-5258.diff
new file mode 100644
index ..4aefd61d
--- /dev/null
+++ b/debian/patches/CVE-2020-5258.diff
@@ -0,0 +1,20 @@
+Description: fix Prototype Pollution
+Author: Nick Nisi
+Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1
+Bug: https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
+Bug-Debian: https://bugs.debian.org/953585
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-03-11
+
+--- a/dojo/request/util.js
 b/dojo/request/util.js
+@@ -13,7 +13,7 @@
+   for (var name in source) {
+   var tval = target[name],
+   sval = source[name];
+-  if (tval !== sval) {
++  if (name !== '__proto__' && tval !== sval) {
+   if (sval && typeof sval === 'object' && 
!(has('native-formdata') && sval instanceof FormData)) {
+   if 
(Object.prototype.toString.call(sval) === '[object Date]') { // use this date 
test to handle crossing frame boundaries
+   target[name] = new Date(sval);
diff --git a/debian/patches/CVE-2020-5259.diff 
b/debian/patches/CVE-2020-5259.diff
new file mode 100644
index ..3d05ed7e
--- /dev/null
+++ b/debian/patches/CVE-2020-5259.diff
@@ -0,0 +1,20 @@
+Description: fix prototype pollution in jqMix method
+Author: Nick Nisi
+Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1
+Bug: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
+Bug-Debian: https://bugs.debian.org/953587
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-03-11
+
+--- a/dojox/jq.js
 b/dojox/jq.js
+@@ -455,7 +455,7 @@
+   // inherited from Object.prototype.  For example, if 
obj has a custom
+   // toString() method, don't overwrite it with the 
toString() method
+   // that props inherited from Object.prototype
+-  if((tobj[x] === undefined || tobj[x] != props[x]) && 
props[x] !== undefined && obj != props[x]){
++  if(x !== '__proto__ ' && ((tobj[x] === undefined || 
tobj[x] != props[x])) && props[x] !== undefined && obj != props[x]){
+   if(dojo.isObject(obj[x]) && 
dojo.isObject(props[x])){
+   if(dojo.isArray(props[x])){
+   obj[x] = props[x];
diff --git a/debian/patches/series b/debian/patches/series
index b0f5ff11..d5b7db42 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
 0002-Do-notrun-test-suite-in-build.patch
 0003-Disable-flash-storage.patch
 CVE-2019-10785.patch
+CVE-2020-5258.diff
+CVE-2020-5259.diff