Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected]
[ Reason ] datatables.js is vulnerable to CVE-2021-23445: if an array is passed to the HTML escape entities, it would not have its content escaped (#995229) [ Impact ] Medium vulnerability [ Tests ] Sadly, no test for this package [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace array by joined string Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 281d0fc..2431f60 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +datatables.js (1.10.21+dfsg-2+deb11u1) bullseye; urgency=medium + + * Team upload. + * Fix: If an array was passed to the HTML escape entities function it would + not have its contents escaped (Closes: #995229, CVE-2021-23445) + + -- Yadd <[email protected]> Wed, 29 Sep 2021 10:22:37 +0200 + datatables.js (1.10.21+dfsg-2) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2021-23445.patch b/debian/patches/CVE-2021-23445.patch new file mode 100644 index 0000000..92683b9 --- /dev/null +++ b/debian/patches/CVE-2021-23445.patch @@ -0,0 +1,22 @@ +Description: Fix: If an array was passed to the HTML escape entities function it would not have its contents escaped + Many thanks to Alessio Della Libera of Snyk for finding and reporting this. +Author: Allan Jardine <[email protected]> +Origin: upstream, https://github.com/DataTables/Dist-DataTables/commit/59a8d3f8 +Bug: https://security-tracker.debian.org/tracker/CVE-2021-23445 +Bug-Debian: https://bugs.debian.org/995229 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-09-29 + +--- a/js/ext/ext.helpers.js ++++ b/js/ext/ext.helpers.js +@@ -7,6 +7,9 @@ + */ + + var __htmlEscapeEntities = function ( d ) { ++ if (Array.isArray(d)) { ++ d = d.join(','); ++ } + return typeof d === 'string' ? + d + .replace(/&/g, '&') diff --git a/debian/patches/series b/debian/patches/series index 0272ced..d3c69f7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ use_correct_closure_path disable_git use-tempdir-and-errexit.patch +CVE-2021-23445.patch
-- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
