diff mbox series

[meta-oe,wrynose,8/16] libjs-jquery-cookie: patch CVE-2026-46625

Message ID 20260613081824.1223609-8-ankur.tyagi85@gmail.com
State New
Headers show
Series [meta-oe,wrynose,1/16] fio: fix build with musl | expand

Commit Message

Ankur Tyagi June 13, 2026, 8:18 a.m. UTC 
From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-46625

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../libjs-jquery-cookie/CVE-2026-46625.patch  | 63 +++++++++++++++++++
 .../libjs/libjs-jquery-cookie_3.0.5.bb        |  4 +-
 2 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch b/meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch
new file mode 100644
index 0000000000..973e12fc79
--- /dev/null
+++ b/meta-oe/recipes-support/libjs/libjs-jquery-cookie/CVE-2026-46625.patch
@@ -0,0 +1,63 @@ 
+From 808905ea1bb4582bcfd681ba1bb8a1c1d1113b40 Mon Sep 17 00:00:00 2001
+From: Klaus Hartl <klaus.hartl@gmail.com>
+Date: Fri, 15 May 2026 11:23:44 +0200
+Subject: [PATCH] Prevent cookie attribute injection
+
+Given that we are using a `for ... in` loop for assembling a cookie's
+attributes required for writing/removing, we are vulnerable to prototype
+pollution, where an attacker might attempt to add/overwrite certain
+attributes and with that broadening access or wiping out a cookie
+altogether.
+
+Such malicious attributes input could most likely come from an object
+parsed from a JSON string; for example looking like
+'{"__proto__":{"samesite":"None"}}'.
+
+Note that at the moment we're tied to using this kind of for-loop for
+compatibility with IE 10 + 11.
+
+(cherry picked from commit eb3c40e89731e99b8970faaf35ddad249c6c0020)
+
+CVE: CVE-2026-46625
+Upstream-Status: Backport [https://github.com/js-cookie/js-cookie/commit/eb3c40e89731e99b8970faaf35ddad249c6c0020]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/assign.mjs |  1 +
+ test/tests.js  | 12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/assign.mjs b/src/assign.mjs
+index 2934ff3..a0e55f1 100644
+--- a/src/assign.mjs
++++ b/src/assign.mjs
+@@ -3,6 +3,7 @@ export default function (target) {
+   for (var i = 1; i < arguments.length; i++) {
+     var source = arguments[i]
+     for (var key in source) {
++      if (key === '__proto__') continue
+       target[key] = source[key]
+     }
+   }
+diff --git a/test/tests.js b/test/tests.js
+index da65d74..c3ab54e 100644
+--- a/test/tests.js
++++ b/test/tests.js
+@@ -489,6 +489,18 @@ QUnit.test(
+   }
+ )
+ 
++QUnit.test(
++  'sanitization of attributes to prevent prototype pollution from untrusted input',
++  function (assert) {
++    var untrusted = JSON.parse('{"__proto__":{"foo":"bar"}}')
++    assert.strictEqual(
++      Cookies.set('c', 'v', untrusted),
++      'c=v; path=/',
++      'should prevent attribute-injection via prototype pollution'
++    )
++  }
++)
++
+ QUnit.module('remove', lifecycle)
+ 
+ QUnit.test('deletion', function (assert) {
diff --git a/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb b/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb
index f4e26a65fc..3740d9c16e 100644
--- a/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb
+++ b/meta-oe/recipes-support/libjs/libjs-jquery-cookie_3.0.5.bb
@@ -3,7 +3,9 @@  HOMEPAGE = "https://github.com/js-cookie/js-cookie"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e16cf0e247d84f8999bf55865a9c98cf"
 
-SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main"
+SRC_URI = "git://github.com/js-cookie/js-cookie.git;protocol=https;branch=main \
+           file://CVE-2026-46625.patch \
+"
 
 SRCREV = "ab3f67fc4fad88cdf07b258c08e4164e06bf7506"