Version in base suite: 3.4.2-2 Base version: node-knockout_3.4.2-2 Target version: node-knockout_3.4.2-2+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-knockout/node-knockout_3.4.2-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-knockout/node-knockout_3.4.2-2+deb10u1.dsc changelog | 7 ++++++ patches/CVE-2019-14862.diff | 45 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 upstream/metadata | 7 ------ 4 files changed, 53 insertions(+), 7 deletions(-) diff -Nru node-knockout-3.4.2/debian/changelog node-knockout-3.4.2/debian/changelog --- node-knockout-3.4.2/debian/changelog 2018-12-27 06:04:31.000000000 +0000 +++ node-knockout-3.4.2/debian/changelog 2020-03-26 10:17:36.000000000 +0000 @@ -1,3 +1,10 @@ +node-knockout (3.4.2-2+deb10u1) buster; urgency=medium + + * Team upload + * Fix bad escaping for old MSIE (Closes: #943560, CVE-2019-14862) + + -- Xavier Guimard Thu, 26 Mar 2020 11:17:36 +0100 + node-knockout (3.4.2-2) unstable; urgency=medium * Mark package as Multi-Arch: foreign diff -Nru node-knockout-3.4.2/debian/patches/CVE-2019-14862.diff node-knockout-3.4.2/debian/patches/CVE-2019-14862.diff --- node-knockout-3.4.2/debian/patches/CVE-2019-14862.diff 1970-01-01 00:00:00.000000000 +0000 +++ node-knockout-3.4.2/debian/patches/CVE-2019-14862.diff 2020-03-26 10:17:12.000000000 +0000 @@ -0,0 +1,45 @@ +Description: fix for CVE-2019-14862 +Author: Michael Best +Origin: upstream, https://github.com/knockout/knockout/pull/2345/files +Bug: https://github.com/knockout/knockout/issues/1244 +Bug-Debian: https://bugs.debian.org/943560 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2020-03-26 + +--- a/spec/defaultBindings/attrBehaviors.js ++++ b/spec/defaultBindings/attrBehaviors.js +@@ -26,6 +26,14 @@ + expect(testNode.childNodes[0].outerHTML).toNotMatch('name="?([^">]+)'); + } + expect(testNode.childNodes[0].getAttribute("name")).toEqual(""); ++ ++ // Check that special characters are handled appropriately ++ myValue(""); ++ expect(testNode.childNodes[0].name).toEqual(""); ++ if (testNode.childNodes[0].outerHTML) { // Old Firefox doesn't support outerHTML ++ expect(testNode.childNodes[0].outerHTML).toMatch('name="?(<|<)A name with special &\'" chars(>|>)"?'); ++ } ++ expect(testNode.childNodes[0].getAttribute("name")).toEqual(""); + }); + + it('Should respond to changes in an observable value', function() { +@@ -62,4 +70,4 @@ + expect(testNode.childNodes[0].className).toEqual(""); + expect(testNode.childNodes[0].getAttribute("class")).toEqual(null); + }); +-}); +\ No newline at end of file ++}); +--- a/src/utils.js ++++ b/src/utils.js +@@ -451,7 +451,8 @@ + // - http://www.matts411.com/post/setting_the_name_attribute_in_ie_dom/ + if (ieVersion <= 7) { + try { +- element.mergeAttributes(document.createElement(""), false); ++ var escapedName = element.name.replace(/[&<>'"]/g, function(r){ return "&#" + r.charCodeAt(0) + ";"; }); ++ element.mergeAttributes(document.createElement(""), false); + } + catch(e) {} // For IE9 with doc mode "IE9 Standards" and browser mode "IE9 Compatibility View" + } diff -Nru node-knockout-3.4.2/debian/patches/series node-knockout-3.4.2/debian/patches/series --- node-knockout-3.4.2/debian/patches/series 2018-12-27 06:04:31.000000000 +0000 +++ node-knockout-3.4.2/debian/patches/series 2020-03-26 10:17:12.000000000 +0000 @@ -1 +1,2 @@ gruntfile.patch +CVE-2019-14862.diff diff -Nru node-knockout-3.4.2/debian/upstream/metadata node-knockout-3.4.2/debian/upstream/metadata --- node-knockout-3.4.2/debian/upstream/metadata 2018-12-27 06:04:31.000000000 +0000 +++ node-knockout-3.4.2/debian/upstream/metadata 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ ---- -Archive: GitHub -Bug-Database: https://github.com/knockout/knockout/issues -Contact: https://github.com/knockout/knockout/issues -Name: knockout -Repository: https://github.com/knockout/knockout.git -Repository-Browse: https://github.com/knockout/knockout