Your message dated Sat, 10 Sep 2022 19:14:10 +0100
with message-id
<810b0134d41d35e5535bfe9dc6db0ebc587c7340.ca...@adam-barratt.org.uk>
and subject line Re: Bug#987039: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u3
has caused the Debian Bug report #987039,
regarding buster-pu: package dojo/1.14.2+dfsg1-1+deb10u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
987039: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987039
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ]
dojo/dijit is vulnerable to cross-site-scripting (#970000,
CVE-2020-4051).
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed during build, including upstream new checks
[ Risks ]
Upstream patch applied without any changes, not trivial but not a big
change. From patch comment:
This update should minimally affect production applications:
* The behavior of existing links with HTML content will be unchanged
* Existing links that are edited and saved will be filtered (this is only if
the link is edited, other content within the editor can be edited without
affecting the link)
* Newly created links will be filtered by default
* For production code to continue working as-is with new data the application
code will have to be updated to specify `true` for the `LinkDialog` plugin's
`allowUnsafeHtml` option
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
in plugin dijit/_editor/plugins/LinkDialog.js, a new chack was added
I didn't add any debian/NEWS entry since risk is tagged as "low". Do you
think it is required here? Maybe something inspired from comment below.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index d4aae875..407f7c48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dojo (1.14.2+dfsg1-1+deb10u3) buster; urgency=medium
+
+ * Team upload
+ * Fix cross-site-scripting vulnerability (Closes: #970000, CVE-2020-4051)
+
+ -- Yadd <y...@debian.org> Fri, 16 Apr 2021 09:39:01 +0200
+
dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-4051.patch
b/debian/patches/CVE-2020-4051.patch
new file mode 100644
index 00000000..714b93d2
--- /dev/null
+++ b/debian/patches/CVE-2020-4051.patch
@@ -0,0 +1,135 @@
+Description: fix cross-site scripting vulnerability in the Editor's LinkDialog
plugin
+ * Add config option `allowUnsafeHtml`: default is `false` which results in
+ `<` being replaced with `<`
+ * Add config option `linkFilter`: can be a function or array of filter pairs
+ to control exactly what filtering is applied
+ .
+ This update should minimally affect production applications:
+ .
+ * The behavior of existing links with HTML content will be unchanged
+ * Existing links that are edited and saved will be filtered (this is only if
+ the link is edited, other content within the editor can be edited without
+ affecting the link)
+ * Newly created links will be filtered by default
+ * For production code to continue working as-is with new data the application
+ code will have to be updated to specify `true` for the `LinkDialog` plugin's
+ `allowUnsafeHtml` option
+Author: Mangala Sadhu Sangeet Singh Khalsa <mssskha...@gmail.com>
+Origin: upstream, https://github.com/dojo/dijit/commit/7d9d4927
+Bug: https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
+Bug-Debian: https://bugs.debian.org/970000
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2021-04-16
+
+--- a/dijit/_editor/plugins/LinkDialog.js
++++ b/dijit/_editor/plugins/LinkDialog.js
+@@ -1,5 +1,6 @@
+ define([
+ "require",
++ "dojo/_base/array",
+ "dojo/_base/declare", // declare
+ "dojo/dom-attr", // domAttr.get
+ "dojo/keys", // keys.ENTER
+@@ -11,7 +12,7 @@
+ "../_Plugin",
+ "../../form/DropDownButton",
+ "../range"
+-], function(require, declare, domAttr, keys, lang, on, has, query, string,
++], function(require, array, declare, domAttr, keys, lang, on, has, query,
string,
+ _Plugin, DropDownButton, rangeapi){
+
+ // module:
+@@ -26,6 +27,21 @@
+ //
+ // - createLink
+
++ // allowUnsafeHtml: boolean
++ // If false (default), the link description will
be filtered to prevent HTML content.
++ // If true no filtering is done, allowing for HTML
content within the link element.
++ // The filter can be specified with the
'linkFilter' option.
++ allowUnsafeHtml: false,
++
++ // linkFilter: function or array of replacement pairs
++ // If 'allowUnsafeHtml' is false then this filter
will be applied to the link Description value.
++ // function: the function will be invoked with the
string value of the Description field and its
++ // return value will be used
++ // array: each array item should be an array of
two values to pass to String#replace
++ linkFilter: [
++ [/</g, "<"]
++ ],
++
+ // Override _Plugin.buttonClass. This plugin is controlled by
a DropDownButton
+ // (which triggers a TooltipDialog).
+ buttonClass: DropDownButton,
+@@ -252,6 +268,16 @@
+ if(args && args.urlInput){
+ args.urlInput = args.urlInput.replace(/"/g,
""");
+ }
++ if(!this.allowUnsafeHtml && args && args.textInput){
++ if(typeof this.linkFilter === 'function'){
++ args.textInput =
this.linkFilter(args.textInput);
++ }
++ else{
++ array.forEach(this.linkFilter, function
(currentFilter) {
++ args.textInput =
args.textInput.replace(currentFilter[0], currentFilter[1]);
++ });
++ }
++ }
+ return args;
+ },
+
+@@ -629,8 +655,15 @@
+ });
+
+ // Register these plugins
+- _Plugin.registry["createLink"] = function(){
+- return new LinkDialog({command: "createLink"});
++ _Plugin.registry["createLink"] = function(args){
++ var pluginOptions = {
++ command: "createLink",
++ allowUnsafeHtml: ("allowUnsafeHtml" in args) ?
args.allowUnsafeHtml : false
++ };
++ if("linkFilter" in args){
++ pluginOptions.linkFilter = args.linkFilter;
++ }
++ return new LinkDialog(pluginOptions);
+ };
+ _Plugin.registry["insertImage"] = function(){
+ return new ImgLinkDialog({command: "insertImage"});
+--- a/dijit/tests/editor/test_LinkDialog.html
++++ b/dijit/tests/editor/test_LinkDialog.html
+@@ -7,6 +7,10 @@
+ <script type="text/javascript" src="../boilerplate.js"></script>
+
+ <script type="text/javascript">
++ function filterLink () {
++ return 'Filtered Value';
++ }
++
+ require([
+ "dojo/parser",
+ "dijit/Editor",
+@@ -35,6 +39,22 @@
+ <br>
+ </div>
+ </div>
++
++ <p>Editor with <code>allowUnsafeHtml</code> set to <code>true</code></p>
++ <div style="border: 1px dotted black;">
++ <div id="editorUnsafe" data-dojo-type="dijit/Editor"
data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink",
allowUnsafeHtml: true}, "insertImage", "viewSource"]'>
++ <p>This editor will allow unrestricted HTML in the
Description field of links</p>
++ <br>
++ </div>
++ </div>
++
++ <p>Editor with custom <code>linkFilter</code> function</p>
++ <div style="border: 1px dotted black;">
++ <div id="editorLinkFilter" data-dojo-type="dijit/Editor"
data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink",
linkFilter: filterLink}, "insertImage", "viewSource"]'>
++ <p>Links created in this editor will always have a
description of "Filtered Value", which is the value returned by the custom
<code>linkFilter</code> function.</p>
++ <br>
++ </div>
++ </div>
+
+ <p>RTL Editor:</p>
+ <div style="border: 1px dotted black;">
diff --git a/debian/patches/series b/debian/patches/series
index d5b7db42..04f730d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
CVE-2019-10785.patch
CVE-2020-5258.diff
CVE-2020-5259.diff
+CVE-2020-4051.patch
--- End Message ---
--- Begin Message ---
On Fri, 2022-08-05 at 20:11 +0100, Adam D. Barratt wrote:
> On Fri, 2021-04-16 at 09:49 +0200, Yadd wrote:
> > dojo/dijit is vulnerable to cross-site-scripting (#970000,
> > CVE-2020-4051).
> >
>
> Apologies for not getting back to this sooner.
>
The final point release for buster has now happened, so any further
updates to packages in buster will need to be handled via LTS. I'm
therefore going to close this request now.
Regards,
Adam
--- End Message ---
