Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-object-path is vulnerable to a prototype pollution (CVE-2020-15256) [ Impact ] Little prototype vulnerability available [ Tests ] Upstream test change seems to big to be included here (see link in patch). [ Risks ] Low risk, patch just adds a check on prototype [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just a new security check
diff --git a/debian/changelog b/debian/changelog index f85777e..da6bfd9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-object-path (0.11.4-2+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution in set() (Closes: CVE-2020-15256) + + -- Xavier Guimard <y...@debian.org> Thu, 22 Oct 2020 18:38:10 +0200 + node-object-path (0.11.4-2) unstable; urgency=medium * Update Vcs fields for migration to https://salsa.debian.org/ diff --git a/debian/patches/CVE-2020-15256.diff b/debian/patches/CVE-2020-15256.diff new file mode 100644 index 0000000..97ee479 --- /dev/null +++ b/debian/patches/CVE-2020-15256.diff @@ -0,0 +1,21 @@ +Description: Fix prototype pollution in set() +Author: Mario Casciaro <mariocasci...@gmail.com> +Origin: upstream, https://github.com/mariocasciaro/object-path/commit/2be3354c6 +Bug: https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-10-22 + +--- a/index.js ++++ b/index.js +@@ -105,6 +105,10 @@ + } + var currentPath = path[0]; + var currentValue = getShallowProperty(obj, currentPath); ++ if (options.includeInheritedProps && (currentPath === '__proto__' || ++ (currentPath === 'constructor' && typeof currentValue === 'function'))) { ++ throw new Error('For security reasons, object\'s magic properties cannot be set') ++ } + if (path.length === 1) { + if (currentValue === void 0 || !doNotReplace) { + obj[currentPath] = value; diff --git a/debian/patches/series b/debian/patches/series index f99effd..f80fc45 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ port-to-chai4.patch +CVE-2020-15256.diff