--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-xml...@packages.debian.org
Control: affects -1 + src:node-xml2js
Please unblock package node-xml2js
[ Reason ]
node-xml2js version 0.4.23 allows an external attacker to edit or add new
properties to an object (#1034148, CVE-2023-0842)
[ Impact ]
Medium security issue
[ Tests ]
Test updates, passed
[ Risks ]
Low risk, patch is trivial and tested
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-xml2js/0.4.23+~cs15.4.0+dfsg-5
diff --git a/debian/changelog b/debian/changelog
index 98492d7..9d9dac7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium
+
+ * Team upload
+ * Update standards version to 4.6.2, no changes needed.
+ * Update nodejs dependency to nodejs:any
+ * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <y...@debian.org> Fri, 21 Apr 2023 11:11:13 +0400
+
node-xml2js (0.4.23+~cs15.4.0+dfsg-4) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index dc4d6d0..406a88d 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends:
, node-sax <!nocheck>
, dh-sequence-nodejs
, node-diff
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
Vcs-Browser: https://salsa.debian.org/js-team/node-xml2js
Vcs-Git: https://salsa.debian.org/js-team/node-xml2js.git
Homepage: https://github.com/Leonidas-from-XIV/node-xml2js
@@ -21,8 +21,8 @@ Architecture: all
Depends:
${misc:Depends}
, node-sax
- , nodejs
, node-diff
+ , nodejs:any
Provides: ${nodejs:Provides}
Description: simple XML to JavaScript object converter - Node.js module
xml2js parses XML using node-sax and converts it to a plain JavaScript
diff --git a/debian/patches/CVE-2023-0842.patch
b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 0000000..3d80ed9
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,103 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby <ja...@coggle.it>
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-04-21
+
+--- a/src/parser.coffee
++++ b/src/parser.coffee
+@@ -103,12 +103,12 @@
+ charkey = @options.charkey
+
+ @saxParser.onopentag = (node) =>
+- obj = {}
++ obj = Object.create(null)
+ obj[charkey] = ""
+ unless @options.ignoreAttrs
+ for own key of node.attributes
+ if attrkey not of obj and not @options.mergeAttrs
+- obj[attrkey] = {}
++ obj[attrkey] = Object.create(null)
+ newValue = if @options.attrValueProcessors then
processItem(@options.attrValueProcessors, node.attributes[key], key) else
node.attributes[key]
+ processedKey = if @options.attrNameProcessors then
processItem(@options.attrNameProcessors, key) else key
+ if @options.mergeAttrs
+@@ -161,7 +161,7 @@
+ # put children into <childkey> property and unfold chars if necessary
+ if @options.explicitChildren and not @options.mergeAttrs and typeof obj
is 'object'
+ if not @options.preserveChildrenOrder
+- node = {}
++ node = Object.create(null)
+ # separate attributes
+ if @options.attrkey of obj
+ node[@options.attrkey] = obj[@options.attrkey]
+@@ -179,7 +179,7 @@
+ # append current node onto parent's <childKey> array
+ s[@options.childkey] = s[@options.childkey] or []
+ # push a clone so that the node in the children array can receive
the #name property while the original obj can do without it
+- objClone = {}
++ objClone = Object.create(null)
+ for own key of obj
+ objClone[key] = obj[key]
+ s[@options.childkey].push objClone
+@@ -196,7 +196,7 @@
+ if @options.explicitRoot
+ # avoid circular references
+ old = obj
+- obj = {}
++ obj = Object.create(null)
+ obj[nodeName] = old
+
+ @resultObject = obj
+--- a/test/parser.test.coffee
++++ b/test/parser.test.coffee
+@@ -531,13 +531,13 @@
+
+ 'test single attrNameProcessors': skeleton(attrNameProcessors:
[nameToUpperCase], (r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
+- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'),
true
+- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'),
true)
++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$,
'CAMELCASEATTR'), true
++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$,
'LOWERCASEATTR'), true)
+
+ 'test multiple attrNameProcessors': skeleton(attrNameProcessors:
[nameToUpperCase, nameCutoff], (r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
+- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAME'), true
+- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWE'), true)
++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAME'),
true
++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWE'),
true)
+
+ 'test single attrValueProcessors': skeleton(attrValueProcessors:
[nameToUpperCase], (r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
+@@ -559,21 +559,21 @@
+
+ 'test single tagNameProcessors': skeleton(tagNameProcessors:
[nameToUpperCase], (r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
+- equ r.hasOwnProperty('SAMPLE'), true
+- equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true)
++ equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
++ equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true)
+
+ 'test single tagNameProcessors in simple callback': (test) ->
+ fs.readFile fileName, (err, data) ->
+ xml2js.parseString data, tagNameProcessors: [nameToUpperCase], (err,
r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
+- equ r.hasOwnProperty('SAMPLE'), true
+- equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true
++ equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
++ equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true
+ test.finish()
+
+ 'test multiple tagNameProcessors': skeleton(tagNameProcessors:
[nameToUpperCase, nameCutoff], (r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
+- equ r.hasOwnProperty('SAMP'), true
+- equ r.SAMP.hasOwnProperty('TAGN'), true)
++ equ {}.hasOwnProperty.call(r, 'SAMP'), true
++ equ {}.hasOwnProperty.call(r.SAMP, 'TAGN'), true)
+
+ 'test attrValueProcessors key param': skeleton(attrValueProcessors:
[replaceValueByName], (r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
diff --git a/debian/patches/series b/debian/patches/series
index 2840ff2..c9bf5bb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
fix-for-coffeescript-2.patch
drop-test-not-compatible-with-coffe-2.patch
+CVE-2023-0842.patch
--- End Message ---
OpenPGP_signature
