On 5/31/23 23:30, Salvatore Bonaccorso wrote:
Hi Yadd,
On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui
[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)
[ Impact ]
Low security issue
[ Tests ]
Sadly tests are minimal in this package. Anyway passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Don't accept label outside of the root element
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Checkboxradio: Don't re-evaluate text labels as HTML (Closes:
CVE-2022-31160)
+
+ -- Yadd <y...@debian.org> Wed, 31 May 2023 15:08:55 +0400
Minor thing, you could as well close #1015982 with the upload.
Hi,
sure, here is the new debdiff
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..dc02159 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+ * Team upload
+ * Checkboxradio: Don't re-evaluate text labels as HTML
+ (Closes: #1015982, CVE-2022-31160)
+
+ -- Yadd <y...@debian.org> Thu, 01 Jun 2023 06:50:09 +0400
+
jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-31160.patch
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 0000000..8f5238d
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,157 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek <m.go...@gmail.com>
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Bug-Debian: https://bugs.debian.org/1015982
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
++++ b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ <label>
+ <input type="checkbox" id="label-with-no-for"/>
+ </label>
++<label>
++ <input type="checkbox" id="label-with-no-for-with-html"/>
++ <strong>Hi</strong>, <em>I'm a label</em>
++</label>
++<label>
++ <input type="checkbox" id="label-with-no-for-with-text"/>
++ Hi, I'm a label
++</label>
++<label>
++ <input type="checkbox" id="label-with-no-for-with-html-like-text"/>
++ <em>Hi, I'm a label</em>
++</label>
+
+ <form id="form3"></form>
+ <input type="radio" name="crazy-form" id="crazy-form-1" form="form3"
checked="checked">
+--- a/tests/unit/checkboxradio/core.js
++++ b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+ );
+ } );
+
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "<strong>Hi</strong>, <em>I'm a
label</em>"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "<em>Hi, I'm a label</em>"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var expectedLabel = testData.expectedLabel;
++ var inputElem = $( "#" + id );
++ var labelElem = inputElem.parent();
++
++ inputElem.checkboxradio( { icon: false } );
++
++ var labelWithoutInput = labelElem.clone();
++ labelWithoutInput.find( "input" ).remove();
++
++ assert.strictEqual(
++ labelWithoutInput.html().trim(),
++ expectedLabel.trim(),
++ "Label correct [" + id + "]"
++ );
++ } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
++++ b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+ assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input
preserved" );
+ } );
+
++QUnit.test( "Initial text label not turned to HTML on refresh", function(
assert ) {
++ var tests = [
++ {
++ id: "label-with-no-for-with-html",
++ expectedLabel: "<strong>Hi</strong>, <em>I'm a
label</em>"
++ },
++ {
++ id: "label-with-no-for-with-text",
++ expectedLabel: "Hi, I'm a label"
++ },
++ {
++ id: "label-with-no-for-with-html-like-text",
++ expectedLabel: "<em>Hi, I'm a label</em>"
++ }
++ ];
++
++ assert.expect( tests.length );
++
++ tests.forEach( function( testData ) {
++ var id = testData.id;
++ var expectedLabel = testData.expectedLabel;
++ var inputElem = $( "#" + id );
++ var labelElem = inputElem.parent();
++
++ inputElem.checkboxradio( { icon: false } );
++ inputElem.checkboxradio( "refresh" );
++
++ var labelWithoutInput = labelElem.clone();
++ labelWithoutInput.find( "input" ).remove();
++
++ assert.strictEqual(
++ labelWithoutInput.html().trim(),
++ expectedLabel.trim(),
++ "Label correct [" + id + "]"
++ );
++ } );
++} );
++
+ } );
+--- a/ui/widgets/checkboxradio.js
++++ b/ui/widgets/checkboxradio.js
+@@ -48,8 +48,7 @@
+ },
+
+ _getCreateOptions: function() {
+- var disabled, labels;
+- var that = this;
++ var disabled, labels, labelContents;
+ var options = this._super() || {};
+
+ // We read the type here, because it makes more sense to throw
a element type error first,
+@@ -69,12 +68,18 @@
+
+ // We need to get the label text but this may also need to make
sure it does not contain the
+ // input itself.
+- this.label.contents().not( this.element[ 0 ] ).each( function()
{
+-
+- // The label contents could be text, html, or a mix. We
concat each element to get a
+- // string representation of the label, without the
input as part of it.
+- that.originalLabel += this.nodeType === 3 ? $( this
).text() : this.outerHTML;
+- } );
++ // The label contents could be text, html, or a mix. We wrap
all elements
++ // and read the wrapper's `innerHTML` to get a string
representation of
++ // the label, without the input as part of it.
++ labelContents = this.label.contents().not( this.element[ 0 ] );
++
++ if ( labelContents.length ) {
++ this.originalLabel += labelContents
++ .clone()
++ .wrapAll( "<div></div>" )
++ .parent()
++ .html();
++ }
+
+ // Set the label option if we found label text
+ if ( this.originalLabel ) {
diff --git a/debian/patches/series b/debian/patches/series
index 71a6270..f06c833 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ use_system_files_in_examples.patch
CVE-2021-41182.patch
CVE-2021-41183.patch
CVE-2021-41184.patch
+CVE-2022-31160.patch
