Version in base suite: 1.12.1+dfsg-8+deb11u1 Base version: jqueryui_1.12.1+dfsg-8+deb11u1 Target version: jqueryui_1.12.1+dfsg-8+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jqueryui/jqueryui_1.12.1+dfsg-8+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jqueryui/jqueryui_1.12.1+dfsg-8+deb11u2.dsc changelog | 7 + patches/CVE-2022-31160.patch | 156 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 164 insertions(+) diff -Nru jqueryui-1.12.1+dfsg/debian/changelog jqueryui-1.12.1+dfsg/debian/changelog --- jqueryui-1.12.1+dfsg/debian/changelog 2021-12-06 07:29:59.000000000 +0000 +++ jqueryui-1.12.1+dfsg/debian/changelog 2023-05-31 11:08:55.000000000 +0000 @@ -1,3 +1,10 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: CVE-2022-31160) + + -- Yadd Wed, 31 May 2023 15:08:55 +0400 + jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium * Team upload diff -Nru jqueryui-1.12.1+dfsg/debian/patches/CVE-2022-31160.patch jqueryui-1.12.1+dfsg/debian/patches/CVE-2022-31160.patch --- jqueryui-1.12.1+dfsg/debian/patches/CVE-2022-31160.patch 1970-01-01 00:00:00.000000000 +0000 +++ jqueryui-1.12.1+dfsg/debian/patches/CVE-2022-31160.patch 2023-05-31 11:08:55.000000000 +0000 @@ -0,0 +1,156 @@ +Description: Checkboxradio: Don't re-evaluate text labels as HTML +Author: Michał Gołębiowski-Owczarek +Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1 +Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 +Forwarded: not-needed +Applied-Upstream: 1.13.2, commit:8cc5bae1 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/tests/unit/checkboxradio/checkboxradio.html ++++ b/tests/unit/checkboxradio/checkboxradio.html +@@ -64,6 +64,18 @@ + ++ ++ ++ + +
+ +--- a/tests/unit/checkboxradio/core.js ++++ b/tests/unit/checkboxradio/core.js +@@ -135,4 +135,41 @@ + ); + } ); + ++QUnit.test( "Inheriting label from initial HTML", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "<em>Hi, I'm a label</em>" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/tests/unit/checkboxradio/methods.js ++++ b/tests/unit/checkboxradio/methods.js +@@ -94,4 +94,42 @@ + assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" ); + } ); + ++QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "<em>Hi, I'm a label</em>" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ inputElem.checkboxradio( "refresh" ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/ui/widgets/checkboxradio.js ++++ b/ui/widgets/checkboxradio.js +@@ -48,8 +48,7 @@ + }, + + _getCreateOptions: function() { +- var disabled, labels; +- var that = this; ++ var disabled, labels, labelContents; + var options = this._super() || {}; + + // We read the type here, because it makes more sense to throw a element type error first, +@@ -69,12 +68,18 @@ + + // We need to get the label text but this may also need to make sure it does not contain the + // input itself. +- this.label.contents().not( this.element[ 0 ] ).each( function() { +- +- // The label contents could be text, html, or a mix. We concat each element to get a +- // string representation of the label, without the input as part of it. +- that.originalLabel += this.nodeType === 3 ? $( this ).text() : this.outerHTML; +- } ); ++ // The label contents could be text, html, or a mix. We wrap all elements ++ // and read the wrapper's `innerHTML` to get a string representation of ++ // the label, without the input as part of it. ++ labelContents = this.label.contents().not( this.element[ 0 ] ); ++ ++ if ( labelContents.length ) { ++ this.originalLabel += labelContents ++ .clone() ++ .wrapAll( "
" ) ++ .parent() ++ .html(); ++ } + + // Set the label option if we found label text + if ( this.originalLabel ) { diff -Nru jqueryui-1.12.1+dfsg/debian/patches/series jqueryui-1.12.1+dfsg/debian/patches/series --- jqueryui-1.12.1+dfsg/debian/patches/series 2021-12-06 07:29:59.000000000 +0000 +++ jqueryui-1.12.1+dfsg/debian/patches/series 2023-05-31 11:08:55.000000000 +0000 @@ -4,3 +4,4 @@ CVE-2021-41182.patch CVE-2021-41183.patch CVE-2021-41184.patch +CVE-2022-31160.patch