Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: jquer...@packages.debian.org Control: affects -1 + src:jqueryui
[ Reason ] jqueryui is potentially vulnerable to cross-site scripting (CVE-2022-31160) [ Impact ] Low security issue [ Tests ] Sadly tests are minimal in this package. Anyway passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't accept label outside of the root element Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 3a6a587..9b1e9cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: CVE-2022-31160) + + -- Yadd <y...@debian.org> Wed, 31 May 2023 15:08:55 +0400 + jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-31160.patch b/debian/patches/CVE-2022-31160.patch new file mode 100644 index 0000000..11d7baa --- /dev/null +++ b/debian/patches/CVE-2022-31160.patch @@ -0,0 +1,156 @@ +Description: Checkboxradio: Don't re-evaluate text labels as HTML +Author: Michał Gołębiowski-Owczarek <m.go...@gmail.com> +Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1 +Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 +Forwarded: not-needed +Applied-Upstream: 1.13.2, commit:8cc5bae1 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-05-31 + +--- a/tests/unit/checkboxradio/checkboxradio.html ++++ b/tests/unit/checkboxradio/checkboxradio.html +@@ -64,6 +64,18 @@ + <label> + <input type="checkbox" id="label-with-no-for"/> + </label> ++<label> ++ <input type="checkbox" id="label-with-no-for-with-html"/> ++ <strong>Hi</strong>, <em>I'm a label</em> ++</label> ++<label> ++ <input type="checkbox" id="label-with-no-for-with-text"/> ++ Hi, I'm a label ++</label> ++<label> ++ <input type="checkbox" id="label-with-no-for-with-html-like-text"/> ++ <em>Hi, I'm a label</em> ++</label> + + <form id="form3"></form> + <input type="radio" name="crazy-form" id="crazy-form-1" form="form3" checked="checked"> +--- a/tests/unit/checkboxradio/core.js ++++ b/tests/unit/checkboxradio/core.js +@@ -135,4 +135,41 @@ + ); + } ); + ++QUnit.test( "Inheriting label from initial HTML", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "<strong>Hi</strong>, <em>I'm a label</em>" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "<em>Hi, I'm a label</em>" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/tests/unit/checkboxradio/methods.js ++++ b/tests/unit/checkboxradio/methods.js +@@ -94,4 +94,42 @@ + assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" ); + } ); + ++QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "<strong>Hi</strong>, <em>I'm a label</em>" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "<em>Hi, I'm a label</em>" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ inputElem.checkboxradio( "refresh" ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/ui/widgets/checkboxradio.js ++++ b/ui/widgets/checkboxradio.js +@@ -48,8 +48,7 @@ + }, + + _getCreateOptions: function() { +- var disabled, labels; +- var that = this; ++ var disabled, labels, labelContents; + var options = this._super() || {}; + + // We read the type here, because it makes more sense to throw a element type error first, +@@ -69,12 +68,18 @@ + + // We need to get the label text but this may also need to make sure it does not contain the + // input itself. +- this.label.contents().not( this.element[ 0 ] ).each( function() { +- +- // The label contents could be text, html, or a mix. We concat each element to get a +- // string representation of the label, without the input as part of it. +- that.originalLabel += this.nodeType === 3 ? $( this ).text() : this.outerHTML; +- } ); ++ // The label contents could be text, html, or a mix. We wrap all elements ++ // and read the wrapper's `innerHTML` to get a string representation of ++ // the label, without the input as part of it. ++ labelContents = this.label.contents().not( this.element[ 0 ] ); ++ ++ if ( labelContents.length ) { ++ this.originalLabel += labelContents ++ .clone() ++ .wrapAll( "<div></div>" ) ++ .parent() ++ .html(); ++ } + + // Set the label option if we found label text + if ( this.originalLabel ) { diff --git a/debian/patches/series b/debian/patches/series index 71a6270..f06c833 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ use_system_files_in_examples.patch CVE-2021-41182.patch CVE-2021-41183.patch CVE-2021-41184.patch +CVE-2022-31160.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
