Page MenuHomePhabricator

Patch jQuery due to CVE-2019-11358
Closed, ResolvedPublic

Description

CVE-2019-11358 is an XSS risk for $.extend(true, {}, …) if passed an unsanitized source object, it could overwrite Object.prototype and so let arbitrary code be written.

I think that anyone able to do that on our wikis has to be an interface-admin already, so it's not necessarily relevant to us (as they could just write bad code directly into Common.js). Possibly this would allow a metawiki interface-admin to compromise e.g. enwiki code if they're doing a cross-wiki object request?

See-also: CVE-2019-5428 (seemingly we have a duplicate)

Fixed in 3.4.0

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 24 2019, 2:13 AM
Reedy merged a task: Restricted Task.Apr 24 2019, 6:51 PM
Reedy edited projects, added MediaWiki-ResourceLoader, OOUI; removed MediaWiki-General.
Reedy added a subscriber: Reedy.
Jdforrester-WMF renamed this task from Consider upgrading jQuery to 3.4.0, due to CVE-2019-11358 to Consider upgrading jQuery to 3.4.0, due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers).Apr 24 2019, 6:53 PM
Reedy updated the task description. (Show Details)Apr 24 2019, 6:54 PM
Reedy added a comment.Apr 24 2019, 7:51 PM

Someone also made patches to 3.3.1 (and other versions) if we wanted to just backport for MW core rather than upgrade at this point...

https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Someone also made patches to 3.3.1 (and other versions) if we wanted to just backport for MW core rather than upgrade at this point...
https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Eurgh, the provenance of that doesn't fill me with love. But yes, we could do that too.

Reedy added a comment.Apr 24 2019, 8:06 PM

Upstream should've really just put some point releases out, rather than just fixing it with a new feature release too...

Someone also made patches to 3.3.1 [..]
https://github.com/DanielRuf/snyk-js-jquery-174006?files=1

Eurgh, the provenance of that doesn't fill me with love. But yes, we could do that too.

Indeed, that does look like a strange source. I think, though, it's mainly a strange hosting choice by an otherwise trusted source. The patch was submitted to Snyk which is the vulnerability was registered and verified. And this patch is also linked by them, and by the jQuery release announce. In any event, it matches the upstream commit.

var a = {}; // new Object();
a.__proto__ === Object.prototype; // true
a instanceof Object; // true

var base = { score: 0, name: '' };
var a = { __proto__: base }; // aka `Object.create( base );`
a.score === 0;
a.score = 42;
a.score === 42;
base.score === 0;
// a instanceof base; // true

var b = { __proto__: a }; // aka `Object.create( a );`
b.name = 'Blubber';
// b instanceof base; // true
// b acts like { name: Blubber, score: 42 }

extend() is ultimately just a for-loop to assign keys in a given object. If you have untrusted objects and want to merge them with other untrusted objects (why?) and then do a deep merge with those (why?) and then want to prevent interaction with Object.prototype, one could in such extremely rare scenario simply start with Object.create(null) instead of new Object (aka {}), which won't have this issue of modifying the parent object that all objects have as parent, which can have some unintended consequences.

The only consequence is that if an object has no property by a given name (not even existent as false or null) you can make that property appear.

var a = new User();
a.hasOwnProperty === Object.hasOwnProperty; // true

Object.prototype.myEverywhere = 9;
// User inherits Function, User.prototype inherits Object.
a.myEverywhere === 9; // true

Seems quite a thin vulnerability, if one at all. Anyway, I would recommend actually we patch it, because upgrading properly also comes with needing to re-fit jquery-migrate.js which I'd like to postpone for now until we have other more important work out of the way.

I can apply the patch trivially, but it won't pass the integrity check any more. Should I put it up as a regular patch or should we treat this as a real security patch?

Reedy added a comment.EditedApr 25 2019, 9:15 PM

I can apply the patch trivially, but it won't pass the integrity check any more. Should I put it up as a regular patch or should we treat this as a real security patch?

Or can we get @Krinkle to get the jQuery guys to do some proper point releases? ;D

Can't only be us that don't want to hack the files, nor can we just upgrade with abandon

Here:

Patch was deployed at 18:58 UTC.

Assuming that upstream aren't going to do the right thing, I imagine that Security team should work out what they want to do about releases of MediaWiki before we publish this patch.

Reedy added a comment.Apr 29 2019, 7:37 PM

Assuming that upstream aren't going to do the right thing, I imagine that Security team should work out what they want to do about releases of MediaWiki before we publish this patch.

Probably worth bundling it in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release

Question of whether it's low enough impact to just push public on all branches.. Considering it's public upstream, it's not like it's hidden nor unexpected that the issue may be in MW's versions of jQuery

kchapman moved this task from Inbox to Radar on the Performance-Team board.Apr 29 2019, 8:15 PM
kchapman edited projects, added Performance-Team (Radar); removed Performance-Team.
Reedy merged a task: Restricted Task.May 8 2019, 1:50 PM
Reedy added a subscriber: Kghbln.
Reedy added a comment.May 28 2019, 1:51 PM

Anyone any strong feelings either way as to what we do for the next security release... Include the patch?

Anyone any strong feelings either way as to what we do for the next security release... Include the patch?

Probably best to include it, yes.

Reedy renamed this task from Consider upgrading jQuery to 3.4.0, due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers) to Patch jQuery due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers).May 28 2019, 3:21 PM
Reedy closed this task as Resolved.Jun 4 2019, 10:26 PM
Reedy assigned this task to Jdforrester-WMF.
Reedy renamed this task from Patch jQuery due to CVE-2019-11358 / CVE-2019-5428 (dupe CVE numbers) to Patch jQuery due to CVE-2019-11358.Jun 5 2019, 8:55 PM
Reedy updated the task description. (Show Details)
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:01 PM

Change 514769 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_27] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514769

Change 514769 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514769

Change 514780 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_30] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514780

Change 514780 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: resources: Patch jQuery 1.11.3 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514780

Change 514856 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_31] SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514856

Change 514760 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514760

Change 514956 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_32] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514956

Change 514980 had a related patch set uploaded (by Reedy; owner: Jforrester):
[mediawiki/core@REL1_33] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514980

Change 514956 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514956

Change 514980 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: resources: Patch jQuery 3.3.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514980

Change 514856 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: resources: Patch jQuery 3.2.1 for CVE-2019-11358

https://gerrit.wikimedia.org/r/514856