Le 01/03/2020 à 22:52, Andreas Beckmann a écrit : >> +#CVE-2019-10785.patch > > The patch is commented in the series file and thus does not get applied. > > Andreas
Sorry for this <fucking git-dpm> error. Here is the real patch. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 14447b52..8a4b21b5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium + + * Team upload + * Cleanup improper regex usage (Closes: #952771, CVE-2019-10785) + + -- Xavier Guimard <y...@debian.org> Sat, 29 Feb 2020 09:07:02 +0100 + dojo (1.15.0+dfsg1-1) unstable; urgency=medium * New upstream version : diff --git a/debian/patches/CVE-2019-10785.patch b/debian/patches/CVE-2019-10785.patch new file mode 100644 index 00000000..67ab40f2 --- /dev/null +++ b/debian/patches/CVE-2019-10785.patch @@ -0,0 +1,45 @@ +Description: Cleanup improper regex usage +Author: Paul <p...@sitepen.com> +Origin: upstream, https://github.com/dojo/dojox/pull/317 +Bug: https://github.com/dojo/dojox/pull/315 +Bug-Debian: https://bugs.debian.org/952771 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-02-29 + +--- a/dojox/dtl/dom.js ++++ b/dojox/dtl/dom.js +@@ -94,7 +94,7 @@ define([ + var replacement = ""; + for(var p = 2, pl = pair.length; p < pl; p++){ + if(p == 2){ +- replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace('"', '\\"') + ' %}">'; ++ replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace(/"/g, '\\"') + ' %}">'; + }else if(tag == pair[p]) { + continue; + }else{ +--- a/dojox/widget/RollingList.js ++++ b/dojox/widget/RollingList.js +@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList", + widgetItem.store = this.store; + widgetItem.item = item; + if(!widgetItem.label){ +- widgetItem.attr("label", this.store.getLabel(item).replace(/</,"<")); ++ widgetItem.attr("label", this.store.getLabel(item).replace(/</g,"<")); + } + if(widgetItem.focusNode){ + var self = this; +--- a/dojox/xmpp/util.js ++++ b/dojox/xmpp/util.js +@@ -3,10 +3,7 @@ dojo.require("dojox.string.Builder"); + dojo.require("dojox.encoding.base64"); + + dojox.xmpp.util.xmlEncode = function(str) { +- if(str) { +- str = str.replace("&", "&").replace(">", ">").replace("<", "<").replace("'", "'").replace('"', """); +- } +- return str; ++ return dojo.string.escape(str); + }; + + dojox.xmpp.util.encodeJid = function(jid) { diff --git a/debian/patches/series b/debian/patches/series index f39e7f29..b0f5ff11 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-Compatibility-patch-for-newer-rhino.patch 0002-Do-notrun-test-suite-in-build.patch 0003-Disable-flash-storage.patch +CVE-2019-10785.patch
