Page MenuHomePhabricator
Create Task
Maniphest T221739

Patch jQuery due to CVE-2019-11358
Closed, ResolvedPublic
Actions

Description

CVE-2019-11358 is an XSS risk for $.extend(true, {}, …) if passed an unsanitized source object, it could overwrite Object.prototype and so let arbitrary code be written.

I think that anyone able to do that on our wikis has to be an interface-admin already, so it's not necessarily relevant to us (as they could just write bad code directly into Common.js). Possibly this would allow a metawiki interface-admin to compromise e.g. enwiki code if they're doing a cross-wiki object request?

See-also: CVE-2019-5428 (seemingly we have a duplicate)

Fixed in 3.4.0

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Details

SubjectRepoBranchLines +/-
SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358mediawiki/coreREL1_31+2 -1
SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358mediawiki/coreREL1_33+16 -1
SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358mediawiki/coreREL1_32+16 -1
SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358mediawiki/coremaster+16 -1
SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358mediawiki/coreREL1_30+2 -1
SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358mediawiki/coreREL1_27+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Jdforrester-WMF created this task.Apr 24 2019, 2:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 24 2019, 2:13 AM
Jdforrester-WMF added projects: MediaWiki-General, JavaScript.Apr 24 2019, 2:14 AM
Jdforrester-WMF added a subscriber: Krinkle.
Krinkle added a project: Performance-Team.Apr 24 2019, 2:26 PM
Reedy merged a task: Restricted Task.Apr 24 2019, 6:51 PM
Reedy edited projects, added MediaWiki-ResourceLoader, OOUI; removed MediaWiki-General.
Reedy subscribed.
Jdforrester-WMF renamed this task from Consider upgrading jQuery to 3.4.0, due to CVE-2019-11358 to Consider upgrading jQuery to 3.4.0, due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers).Apr 24 2019, 6:53 PM
Reedy updated the task description. (Show Details)Apr 24 2019, 6:54 PM
Jdforrester-WMF updated the task description. (Show Details)Apr 24 2019, 6:56 PM
Reedy added a comment.Apr 24 2019, 7:51 PM

Someone also made patches to 3.3.1 (and other versions) if we wanted to just backport for MW core rather than upgrade at this point...

https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Jdforrester-WMF added a comment.Apr 24 2019, 7:53 PM
In T221739#5135878, @Reedy wrote:

Someone also made patches to 3.3.1 (and other versions) if we wanted to just backport for MW core rather than upgrade at this point...

https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Eurgh, the provenance of that doesn't fill me with love. But yes, we could do that too.

Reedy added a comment.Apr 24 2019, 8:06 PM

Upstream should've really just put some point releases out, rather than just fixing it with a new feature release too...

Krinkle added a comment.Apr 25 2019, 8:41 PM
In T221739#5135879, @Jdforrester-WMF wrote:
In T221739#5135878, @Reedy wrote:

Someone also made patches to 3.3.1 [..]

https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Eurgh, the provenance of that doesn't fill me with love. But yes, we could do that too.

Indeed, that does look like a strange source. I think, though, it's mainly a strange hosting choice by an otherwise trusted source. The patch was submitted to Snyk which is the vulnerability was registered and verified. And this patch is also linked by them, and by the jQuery release announce. In any event, it matches the upstream commit.

var a = {}; // new Object();
a.__proto__ === Object.prototype; // true
a instanceof Object; // true

var base = { score: 0, name: '' };
var a = { __proto__: base }; // aka `Object.create( base );`
a.score === 0;
a.score = 42;
a.score === 42;
base.score === 0;
// a instanceof base; // true

var b = { __proto__: a }; // aka `Object.create( a );`
b.name = 'Blubber';
// b instanceof base; // true
// b acts like { name: Blubber, score: 42 }

extend() is ultimately just a for-loop to assign keys in a given object. If you have untrusted objects and want to merge them with other untrusted objects (why?) and then do a deep merge with those (why?) and then want to prevent interaction with Object.prototype, one could in such extremely rare scenario simply start with Object.create(null) instead of new Object (aka {}), which won't have this issue of modifying the parent object that all objects have as parent, which can have some unintended consequences.

The only consequence is that if an object has no property by a given name (not even existent as false or null) you can make that property appear.

var a = new User();
a.hasOwnProperty === Object.hasOwnProperty; // true

Object.prototype.myEverywhere = 9;
// User inherits Function, User.prototype inherits Object.
a.myEverywhere === 9; // true

Seems quite a thin vulnerability, if one at all. Anyway, I would recommend actually we patch it, because upgrading properly also comes with needing to re-fit jquery-migrate.js which I'd like to postpone for now until we have other more important work out of the way.

Jdforrester-WMF added a comment.Apr 25 2019, 9:12 PM

I can apply the patch trivially, but it won't pass the integrity check any more. Should I put it up as a regular patch or should we treat this as a real security patch?

Reedy added a comment.EditedApr 25 2019, 9:15 PM
In T221739#5138946, @Jdforrester-WMF wrote:

I can apply the patch trivially, but it won't pass the integrity check any more. Should I put it up as a regular patch or should we treat this as a real security patch?

Or can we get @Krinkle to get the jQuery guys to do some proper point releases? ;D

Can't only be us that don't want to hack the files, nor can we just upgrade with abandon

Jdforrester-WMF added a comment.Apr 25 2019, 9:16 PM

Here:

T221739.patch1 KBDownload

Catrope subscribed.Apr 29 2019, 6:59 PM

Patch was deployed at 18:58 UTC.

Jdforrester-WMF moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Apr 29 2019, 7:08 PM

Assuming that upstream aren't going to do the right thing, I imagine that Security team should work out what they want to do about releases of MediaWiki before we publish this patch.

Reedy added a comment.Apr 29 2019, 7:37 PM
In T221739#5144718, @Jdforrester-WMF wrote:

Assuming that upstream aren't going to do the right thing, I imagine that Security team should work out what they want to do about releases of MediaWiki before we publish this patch.

Probably worth bundling it in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release

Question of whether it's low enough impact to just push public on all branches.. Considering it's public upstream, it's not like it's hidden nor unexpected that the issue may be in MW's versions of jQuery

kchapman moved this task from Inbox, needs triage to Radar on the Performance-Team board.Apr 29 2019, 8:15 PM
kchapman edited projects, added Performance-Team (Radar); removed Performance-Team.
Reedy added a parent task: T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Apr 30 2019, 3:53 PM
Reedy merged a task: Restricted Task.May 8 2019, 1:50 PM
Reedy added a subscriber: Kghbln.
Reedy added a comment.May 28 2019, 1:51 PM

Anyone any strong feelings either way as to what we do for the next security release... Include the patch?

Jdforrester-WMF added a comment.May 28 2019, 2:43 PM
In T221739#5216518, @Reedy wrote:

Anyone any strong feelings either way as to what we do for the next security release... Include the patch?

Probably best to include it, yes.

Reedy mentioned this in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.May 28 2019, 2:50 PM
Reedy renamed this task from Consider upgrading jQuery to 3.4.0, due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers) to Patch jQuery due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers).May 28 2019, 3:21 PM
Reedy closed this task as Resolved.Jun 4 2019, 10:26 PM
Reedy assigned this task to Jdforrester-WMF.
Reedy renamed this task from Patch jQuery due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers) to Patch jQuery due to CVE-2019-11358.Jun 5 2019, 8:55 PM
Reedy updated the task description. (Show Details)
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:01 PM
gerritbot added a comment.Jun 6 2019, 4:06 PM

Change 514769 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_27] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514769

gerritbot added a project: Patch-For-Review.Jun 6 2019, 4:06 PM

Change 514769 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514769

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514780 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_30] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514780

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514780 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514780

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.30-release-notes.Jun 6 2019, 5:00 PM
gerritbot added a comment.Jun 6 2019, 7:02 PM

Change 514856 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_31] SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514856

gerritbot added a comment.Jun 6 2019, 8:37 PM

Change 514760 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514760

gerritbot added a comment.Jun 6 2019, 8:52 PM

Change 514956 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_32] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514956

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jun 6 2019, 9:00 PM
gerritbot added a comment.Jun 6 2019, 11:02 PM

Change 514980 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_33] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514980

gerritbot added a comment.Jun 6 2019, 11:19 PM

Change 514956 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514956

gerritbot added a comment.Jun 6 2019, 11:43 PM

Change 514980 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514980

ReleaseTaggerBot added projects: MW-1.33-notes, MW-1.32-notes.Jun 7 2019, 12:01 AM
gerritbot added a comment.Jun 7 2019, 12:03 AM

Change 514856 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514856

ReleaseTaggerBot added a project: MW-1.31-release-notes.Jun 7 2019, 1:00 AM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:28 PM
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL