Bundled jquery-ui library is vulnerable to an XSS

[xavierba]

sympa up to 6.2.22 is bundling jquery-ui 1.11.2 which is known to be vulnerable to an XSS.
http://www.cvedetails.com/cve/CVE-2016-7103/

[ikedas]

jquery* were upgraded in sympa-6.2 branch. This ticket will be kept open for debugging.

[xavierba]

The jquery update breaks the 'edit list config' dropdown menu in mailing list admin panel.
Whatever item is selected in the dropdown menu will display the list definition part of the config.

[racke]

Any errors shown in the JavaScript console? Which browser/version do you use?

…

On November 8, 2017 7:02:00 PM GMT+01:00, xavierba ***@***.***> wrote: The jquery update breaks the 'edit list config' dropdown menu in mailing list admin panel. Whatever item is selected in the dropdown menu will display the list definition part of the config. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: #78 (comment)

[xavierba]

My bad, jquery-migrate.js is not installed because I've not ran autoconf. oops :-(

[xavierba]

It might not be just me being stupid...
Once the previously missing jquery-migrate.js is added, using Firefox 56, I get this in the js console:
20:21:02.087 TypeError: newFunc is undefined 1 jquery-migrate.js:102:3
migrateWarnFunc/obj[prop] https://lists.domain.tld/static-sympa/external/jquery-migrate.js:102:3
find https://lists.domain.tld/static-sympa/external/jquery.js:2708:35
jQuery.fn.init https://lists.domain.tld/static-sympa/external/jquery.js:2821:14
jQuery.fn.init https://lists.domain.tld/static-sympa/external/jquery-migrate.js:129:9
jQuery https://lists.domain.tld/static-sympa/external/jquery.js:73:10
assemble/< https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.topbar.js:388:13
each https://lists.domain.tld/static-sympa/external/jquery.js:383:14
each https://lists.domain.tld/static-sympa/external/jquery.js:136:10
assemble https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.topbar.js:372:7
init/< https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.topbar.js:46:11
each https://lists.domain.tld/static-sympa/external/jquery.js:383:14
each https://lists.domain.tld/static-sympa/external/jquery.js:136:10
init https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.topbar.js:30:7
init_lib https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.js:370:18
init https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.js:341:26
$.fn.foundation/< https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.js:727:7
each https://lists.domain.tld/static-sympa/external/jquery.js:383:14
each https://lists.domain.tld/static-sympa/external/jquery.js:136:10
$.fn.foundation https://lists.domain.tld/static-sympa/external/foundation/js/foundation/foundation.js:726:12
https://lists.domain.tld/sympa/edit_list_request/test/description:89:1
fire https://lists.domain.tld/static-sympa/external/jquery.js:3119:10
fireWith https://lists.domain.tld/static-sympa/external/jquery.js:3231:7
ready https://lists.domain.tld/static-sympa/external/jquery.js:3443:3
completed https://lists.domain.tld/static-sympa/external/jquery.js:3474:3

[ikedas]

I could not reproduce reported error with Chrome 62.0.3202.75 and Firefox 56.0.2. Version of scripts are:

• jquery.js 3.2.1
• jquery-migrate.js 3.0.1
• jquery-ui.js 1.12.1

[xavierba]

Thanks for checking. The issue was actually (again) on my side, it worked with chromium (which I barely use) and worked again in Firefox after clearing the cache. Sorry for the noise. I'll retest when next beta release is available to double-check everything is in order.

[ikedas]

If another problem will not be reported by 14 Dec., I'll close this issue.

[ikedas]

Moved from issue #138.

Clicking "View last bounce" link in subscriber information, it has no effect and following traceback is shown on console:

Uncaught TypeError: Cannot read property 'defaultView' of null
    at getStyles (jquery.js:6077)
    at curCSS (jquery.js:6175)
    at Function.css (jquery.js:6520)
    at jquery.js:6646
    at access (jquery.js:4013)
    at jQuery.fn.init.css (jquery.js:6628)
    at Object.open (foundation.reveal.js:168)
    at HTMLAnchorElement.<anonymous> (foundation.reveal.js:67)
    at HTMLDocument.dispatch (jquery.js:5206)
    at HTMLDocument.elemData.handle (jquery.js:5014)

---

N.B. I saw traceback above with Chrome 62.0.3202.94 and Sympa 6.2.23b.2.

[ikedas]

With jquery-migrate 1.4.1 the problem seems not to reproduce. So I think we have at least three options:

1. Downgrade jquery-migrate to 1.4.1 and release Sympa 6.2.24 at due date (21 Dec.).
2. Postpone release of Sympa 6.2.24 and seek the way to solve the problem radically.
3. Roll back changes on jQuery and release Sympa 6.2.24 with vulnerable jQuery at due date.

Is there any others?

[xavierba]

The bundled jquery in sympa has been updated straight from 1.11.1 to 3.2.1, which is a 2 major versions bump.
jquery advices to update from one major version to the next : https://jquery.com/upgrade-guide/3.0/#jquery-migrate-plugin
The issue here is likely some changes between jquery 2 to jquery 3.
I believe jquery-migrate 1.4 is intended to update from jquery 1 to jquery 2, while jquery-migrate 3 is intended to update from jquery 2 to jquery 3 and it is explicitly stated that one cannot use both jquery-migrate 1.4 and 3 at the same time, so maybe solution 1 above (jquery-migrate downgrade from 3 to 1.4) would also require a downgrade to jquery 2.
Solution 2 is the cleanest, but might take some time, which may or may not be acceptable.
Solution 3 (ship with known flaws) is not really an option, imho.

[ikedas]

I see we had to use jquery-migrate 1.4. I'll check again if Sympa works with it.

[ikedas]

Ok, closed by now.