Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ckeditor [ Reason ] ckeditor is vulnerable to a cross-site scripting (XSS) vulnerability in the HTML Data Processor because --!> is mishandled. [ Impact ] Medium XSS vulnerability [ Tests ] Upstream doesn't provide any test for this package [ Risks ] No risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock ckeditor/4.16.0+dfsg-2
diff --git a/debian/changelog b/debian/changelog index 72d59540..477ce555 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ckeditor (4.16.0+dfsg-2) unstable; urgency=medium + + * Team upload + * Treat "--!>" as a valid comment end tag (Closes: CVE-2021-33829) + + -- Yadd <y...@debian.org> Fri, 11 Jun 2021 13:28:40 +0200 + ckeditor (4.16.0+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-33829.patch b/debian/patches/CVE-2021-33829.patch new file mode 100644 index 00000000..228f1859 --- /dev/null +++ b/debian/patches/CVE-2021-33829.patch @@ -0,0 +1,19 @@ +Description: Treat --!> as a valid comment end tag. +Author: Tomasz Jakut <vepo...@gmail.com> +Origin: upstream, https://github.com/ckeditor/ckeditor4/commit/3e426ce3 +Bug: https://github.com/ckeditor/ckeditor4/issues/4659 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-06-11 + +--- a/core/htmlparser.js ++++ b/core/htmlparser.js +@@ -17,7 +17,7 @@ + */ + CKEDITOR.htmlParser = function() { + this._ = { +- htmlPartsRegex: /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g ++ htmlPartsRegex: /<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)--!?>)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g + }; + }; + diff --git a/debian/patches/series b/debian/patches/series index d0d2ffa6..2b74345d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-build-corrections-skip-debian-dir.patch 0002-Remove-flash-example.patch 0003-Remove-autogenerated-part-of-file.patch +CVE-2021-33829.patch
