Your message dated Sat, 18 Dec 2021 11:36:17 +0000
with message-id
<f35b13da0620aab462a587a3d6f06f29a527c6c9.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for changes included in 11.2
has caused the Debian Bug report #998832,
regarding bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
998832: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998832
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists-alith.debian.net
[ Reason ]
Jquery-UI is the official jQuery user interface library. Prior to version
1.13.0, accepting the value of the `of` option of the `.position()` util
from untrusted sources may execute untrusted code. The issue is fixed in
jQuery UI 1.13.0. Any string value passed to the `of` option is now treated
as a CSS selector. A workaround is to not accept the value of the `of`
option from untrusted sources. (CVE-2021-41184)
[ Impact ]
Medium security issue
[ Tests ]
No test launched for this package.
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a security check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e137315..48b298f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184)
+
+ -- Yadd <y...@debian.org> Mon, 08 Nov 2021 11:00:00 +0100
+
jqueryui (1.12.1+dfsg-8) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-41184.patch
b/debian/patches/CVE-2021-41184.patch
new file mode 100644
index 0000000..112a288
--- /dev/null
+++ b/debian/patches/CVE-2021-41184.patch
@@ -0,0 +1,23 @@
+Description: Make sure `of` is treated as a CSS selector (Closes:
CVE-2021-41184)
+ fix "option of the `.position()` util from untrusted sources may execute
untrusted code"
+Author: Michał Gołębiowski-Owczarek <m.go...@gmail.com>
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/effa323f
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2021-11-08
+
+--- a/ui/position.js
++++ b/ui/position.js
+@@ -144,7 +144,10 @@
+ options = $.extend( {}, options );
+
+ var atOffset, targetWidth, targetHeight, targetOffset, basePosition,
dimensions,
+- target = $( options.of ),
++ // Make sure string options are treated as CSS selectors
++ target = typeof options.of === "string" ?
++ $( document ).find( options.of ) :
++ $( options.of ),
+ within = $.position.getWithinInfo( options.within ),
+ scrollInfo = $.position.getScrollInfo( within ),
+ collision = ( options.collision || "flip" ).split( " " ),
diff --git a/debian/patches/series b/debian/patches/series
index a1fcccd..b2738aa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
add_missing_semicolon.patch
match_css_source_to_release.patch
use_system_files_in_examples.patch
+CVE-2021-41184.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.2
Hi,
All of the updates referred to by these bugs were included in this
morning's bullseye point release.
Regards,
Adam
--- End Message ---
