Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, node-knockout is vunerable to CVE-2019-14862 (#943560): bad escaping for old MSIE browsers (MSIE ≤ 7). This little patche fixes this issue. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index e35157d..078f2f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-knockout (3.4.2-2+deb9u1) stretch; urgency=medium + + * Team upload + * Fix bad escaping for old MSIE (Closes: #943560, CVE-2019-14862) + + -- Xavier Guimard <y...@debian.org> Thu, 26 Mar 2020 11:17:36 +0100 + node-knockout (3.4.2-2) unstable; urgency=medium * Mark package as Multi-Arch: foreign diff --git a/debian/patches/CVE-2019-14862.diff b/debian/patches/CVE-2019-14862.diff new file mode 100644 index 0000000..212b29e --- /dev/null +++ b/debian/patches/CVE-2019-14862.diff @@ -0,0 +1,45 @@ +Description: fix for CVE-2019-14862 +Author: Michael Best +Origin: upstream, https://github.com/knockout/knockout/pull/2345/files +Bug: https://github.com/knockout/knockout/issues/1244 +Bug-Debian: https://bugs.debian.org/943560 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-03-26 + +--- a/spec/defaultBindings/attrBehaviors.js ++++ b/spec/defaultBindings/attrBehaviors.js +@@ -26,6 +26,14 @@ + expect(testNode.childNodes[0].outerHTML).toNotMatch('name="?([^">]+)'); + } + expect(testNode.childNodes[0].getAttribute("name")).toEqual(""); ++ ++ // Check that special characters are handled appropriately ++ myValue("<A name with special &'\" chars>"); ++ expect(testNode.childNodes[0].name).toEqual("<A name with special &'\" chars>"); ++ if (testNode.childNodes[0].outerHTML) { // Old Firefox doesn't support outerHTML ++ expect(testNode.childNodes[0].outerHTML).toMatch('name="?(<|<)A name with special &\'" chars(>|>)"?'); ++ } ++ expect(testNode.childNodes[0].getAttribute("name")).toEqual("<A name with special &'\" chars>"); + }); + + it('Should respond to changes in an observable value', function() { +@@ -62,4 +70,4 @@ + expect(testNode.childNodes[0].className).toEqual(""); + expect(testNode.childNodes[0].getAttribute("class")).toEqual(null); + }); +-}); +\ No newline at end of file ++}); +--- a/src/utils.js ++++ b/src/utils.js +@@ -451,7 +451,8 @@ + // - http://www.matts411.com/post/setting_the_name_attribute_in_ie_dom/ + if (ieVersion <= 7) { + try { +- element.mergeAttributes(document.createElement("<input name='" + element.name + "'/>"), false); ++ var escapedName = element.name.replace(/[&<>'"]/g, function(r){ return "&#" + r.charCodeAt(0) + ";"; }); ++ element.mergeAttributes(document.createElement("<input name='" + escapedName + "'/>"), false); + } + catch(e) {} // For IE9 with doc mode "IE9 Standards" and browser mode "IE9 Compatibility View" + } diff --git a/debian/patches/series b/debian/patches/series index 0108572..6429144 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ gruntfile.patch +CVE-2019-14862.diff
