[Pkg-javascript-devel] Bug#699482: CVE-2011-4969: jQuery 1.6.2 XSS
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 9 15:26:46 UTC 2013
Control: forwarded 699482 http://bugs.jquery.com/ticket/9521
Hi Luciano
On Thu, Jan 31, 2013 at 10:50:44PM +0100, Luciano Bello wrote:
> Package: jquery
> Severity: important
> Tags: security squeeze
> Justification: user security hole
>
> Hi there,
> It's 2011 calling :)
> The CVE-2011-4969 for this issue:
> http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/
> I'm not sure if squeeze (1.4.2-2) is affected. Any way to check it?
It looks a bit 'complicated' situation[0], and upstream applied the
following commit[1]. Attached is also the debdiff, but I'm not
confortable to it right now as it's untested.
[0]: http://bugs.jquery.com/ticket/9521
[1]: https://github.com/jquery/jquery/commit/749dbad981f040bd65cbb50c10e9aa6e44bd26ff
Regards,
Salvatore
-------------- next part --------------
diff -u jquery-1.4.2/debian/changelog jquery-1.4.2/debian/changelog
--- jquery-1.4.2/debian/changelog
+++ jquery-1.4.2/debian/changelog
@@ -1,3 +1,11 @@
+jquery (1.4.2-2+squeeze1) stable-security; urgency=high
+
+ * Non-maintainer upload.
+ * [SECURITY] CVE-2011-4969: Fix XSS via $(location.hash) and $(#<tag>). See
+ http://bugs.jquery.com/ticket/9521. (Closes: #699482)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 09 Feb 2013 16:21:59 +0100
+
jquery (1.4.2-2) unstable; urgency=low
* Setting debhelper version to >= 7.0.50~
only in patch2:
unchanged:
--- jquery-1.4.2.orig/src/core.js
+++ jquery-1.4.2/src/core.js
@@ -17,8 +17,8 @@
rootjQuery,
// A simple way to check for HTML strings or ID strings
- // (both of which we optimize for)
- quickExpr = /^[^<]*(<[\w\W]+>)[^>]*$|^#([\w-]+)$/,
+ // Prioritize #id over <tag> to avoid XSS via location.hash (#9521)
+ quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/,
// Is it a simple selector
isSimple = /^.[^:#\[\.,]*$/,
More information about the Pkg-javascript-devel
mailing list