Bug#1036980: marked as done (unblock: jquery-minicolors/2.3.5+dfsg-4)

To: Paul Gevers <elbrus@debian.org>
Subject: Bug#1036980: marked as done (unblock: jquery-minicolors/2.3.5+dfsg-4)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 01 Jun 2023 11:45:03 +0000
Message-id: <[🔎] handler.1036980.D1036980.1685619608619983.ackdone@bugs.debian.org>
Reply-to: 1036980@bugs.debian.org
References: <05c08645-1937-1a45-208e-a770077735df@debian.org> <168553737795.448951.11534622664765877915.reportbug@debian117>

Your message dated Thu, 1 Jun 2023 13:40:05 +0200
with message-id <05c08645-1937-1a45-208e-a770077735df@debian.org>
and subject line Re: Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4
has caused the Debian Bug report #1036980,
regarding unblock: jquery-minicolors/2.3.5+dfsg-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036980: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036980
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: jquery-minicolors/2.3.5+dfsg-4
From: Yadd <yadd@debian.org>
Date: Wed, 31 May 2023 16:49:37 +0400
Message-id: <168553737795.448951.11534622664765877915.reportbug@debian117>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: jquery-minicolors@packages.debian.org
Control: affects -1 + src:jquery-minicolors

Please unblock package jquery-minicolors

[ Reason ]
jquery-minicolor is vulnerable to a cross-site scripting
(CVE-2021-32850)

[ Impact ]
Low security issue

[ Tests ]
No test here

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock jquery-minicolors/2.3.5+dfsg-4

diff --git a/debian/changelog b/debian/changelog
index 1e959f0..dcf5b2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Fix cross-site scripting issue (Closes: CVE-2021-32850)
+
+ -- Yadd <yadd@debian.org>  Wed, 31 May 2023 16:44:37 +0400
+
 jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 3dcf29b..66693e1 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian JavaScript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
 Uploaders: Yadd <yadd@debian.org>
 Build-Depends: debhelper-compat (= 13), uglifyjs
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
 Homepage: https://github.com/jquery-minicolors
 Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git
 Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors
diff --git a/debian/patches/CVE-2021-32850.patch b/debian/patches/CVE-2021-32850.patch
new file mode 100644
index 0000000..5e54e6d
--- /dev/null
+++ b/debian/patches/CVE-2021-32850.patch
@@ -0,0 +1,21 @@
+Description: fix XSS vuln
+Author: Cory LaViska <cory@abeautifulsite.net>
+Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824
+Bug: https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/
+Forwarded: not-needed
+Applied-Upstream: 2.3.6, commit:ef134824
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-31
+
+--- a/jquery.minicolors.js
++++ b/jquery.minicolors.js
+@@ -226,7 +226,8 @@
+         }
+         swatchString = swatch;
+         swatch = isRgb(swatch) ? parseRgb(swatch, true) : hex2rgb(parseHex(swatch, true));
+-        $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color" title="' + name + '"></span></li>')
++        $('<li class="minicolors-swatch minicolors-sprite"><span class="minicolors-swatch-color"></span></li>')
++          .attr("title", name)
+           .appendTo(swatches)
+           .data('swatch-color', swatchString)
+           .find('.minicolors-swatch-color')
diff --git a/debian/patches/series b/debian/patches/series
index 7ba3ddc..b5c3525 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-local-CSS-and-JavaScript-in-examples.patch
+CVE-2021-32850.patch

--- End Message ---

--- Begin Message ---

To: Yadd <yadd@debian.org>, 1036980-done@bugs.debian.org

Subject: Re: Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4

From: Paul Gevers <elbrus@debian.org>

Date: Thu, 1 Jun 2023 13:40:05 +0200

Message-id: <05c08645-1937-1a45-208e-a770077735df@debian.org>

In-reply-to: <168553737795.448951.11534622664765877915.reportbug@debian117>

References: <168553737795.448951.11534622664765877915.reportbug@debian117>
Hi,

On 31-05-2023 14:49, Yadd wrote:
unblock jquery-minicolors/2.3.5+dfsg-4
unblocked and aged.

Paul
Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Reply to:

Prev by Date: Bug#1036979: marked as done (unblock: appstream/0.16.1-2)
Next by Date: Bug#1036982: marked as done (unblock: debspawn/0.6.2-1)
Previous by thread: Bug#1036979: marked as done (unblock: appstream/0.16.1-2)
Next by thread: Bug#1036982: marked as done (unblock: debspawn/0.6.2-1)
Index(es):
- Date
- Thread