Package: release.debian.org Severity: normal Tags: security User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package jquery Hi all, jquery is vunerable to Object.prototype pollution (#927385). I imported upstream patch and just upgraded some links in debian files. This patch does not change normal jQuery behavior but just fix a security hole considered as "grave" by Security team. There is a lot of reverse dependencies of course (not listed here to avoid mail pollution ;-)). Anyway, I think it is low risky to upgrade jQuery in Buster. Cheers, Xavier unblock jquery/3.3.1_dfsg-2
diff --git a/debian/changelog b/debian/changelog index aed290ff..259a482a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +jquery (3.3.1~dfsg-2) unstable; urgency=medium + + * Team upload + * Add patch to prevent Object.prototype pollution (Closes: #927385) + * Upgrade links to https + + -- Xavier Guimard <y...@debian.org> Thu, 18 Apr 2019 22:34:14 +0200 + jquery (3.3.1~dfsg-1) unstable; urgency=medium * Team upload. diff --git a/debian/control b/debian/control index 9564aeff..126c17ca 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Build-Depends: nodejs, pigz, Standards-Version: 4.3.0 -Homepage: http://jquery.com/ +Homepage: https://jquery.com/ Vcs-Git: https://salsa.debian.org/js-team/jquery.git Vcs-Browser: https://salsa.debian.org/js-team/jquery Rules-Requires-Root: no diff --git a/debian/copyright b/debian/copyright index a89d1ef6..593fc38f 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: jQuery -Source: http://jquery.com/ -Comment: For more details on developers please see http://docs.jquery.com/Contributors +Source: https://jquery.com/ +Comment: For more details on developers please see https://docs.jquery.com/Contributors Files-Excluded: dist external/npo @@ -38,7 +38,7 @@ License: GPL-2 can be found in </usr/share/common-licenses/GPL-2>. License: MIT - Copyright (c) 2011 John Resig, http://jquery.com/ + Copyright (c) 2011 John Resig, https://jquery.com/ . Permission is hereby granted, free of charge, to any person obtaining a copy diff --git a/debian/patches/SNYK-JS-JQUERY-174006.diff b/debian/patches/SNYK-JS-JQUERY-174006.diff new file mode 100644 index 00000000..5911b9d4 --- /dev/null +++ b/debian/patches/SNYK-JS-JQUERY-174006.diff @@ -0,0 +1,37 @@ +Description: Prevent Object.prototype pollution for $.extend( true, ... ) +Author: Xavier Guimard <y...@debian.org> +Origin: upstream, https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b +Bug: https://github.com/jquery/jquery/pull/4333 +Bug-Debian: https://bugs.debian.org/927385 +Forwarded: not-needed +Last-Update: 2019-04-18 + +--- a/src/core.js ++++ b/src/core.js +@@ -159,8 +159,9 @@ + src = target[ name ]; + copy = options[ name ]; + ++ // Prevent Object.prototype pollution + // Prevent never-ending loop +- if ( target === copy ) { ++ if ( name === "__proto__" || target === copy ) { + continue; + } + +--- a/test/unit/core.js ++++ b/test/unit/core.js +@@ -1061,6 +1061,13 @@ + assert.ok( !Array.isArray( result.object ), "result.object wasn't paved with an empty array" ); + } ); + ++QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) { ++ assert.expect( 1 ); ++ ++ jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) ); ++ assert.ok( !( "devMode" in {} ), "Object.prototype not polluted" ); ++} ); ++ + QUnit.test( "jQuery.each(Object,Function)", function( assert ) { + assert.expect( 23 ); + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..1fc60af1 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +SNYK-JS-JQUERY-174006.diff
