Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-pathval is vulnerable to a prototype pollution (CVE-2020-7751, #972895) [ Impact ] Little security risk [ Tests ] The same patch is applied to debian/sid (same version) and tests are enabled (and succeeds of course) [ Risks ] No risk, patch just adds a check [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just one check
diff --git a/debian/changelog b/debian/changelog index 91b3ad0..05749be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-pathval (1.1.0-3+deb10u1) buster; urgency=medium + + * Fix prototype pollution (Closes: #972895, CVE-2020-7751) + + -- Xavier Guimard <y...@debian.org> Mon, 26 Oct 2020 04:44:16 +0100 + node-pathval (1.1.0-3) unstable; urgency=medium * Point d/watch to /releases instead of /tags. diff --git a/debian/patches/CVE-2020-7751.diff b/debian/patches/CVE-2020-7751.diff new file mode 100644 index 0000000..7d1ed9a --- /dev/null +++ b/debian/patches/CVE-2020-7751.diff @@ -0,0 +1,21 @@ +Description: fix prototype pollution +Author: Adam Gold <adamgo...@gmail.com> +Origin: upstream, https://github.com/chaijs/pathval/commit/21a9046 +Bug: https://snyk.io/vuln/SNYK-JS-PATHVAL-596926 +Bug-Debian: https://bugs.debian.org/972895 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-10-25 + +--- a/index.js ++++ b/index.js +@@ -76,6 +76,9 @@ + var str = path.replace(/([^\\])\[/g, '$1.['); + var parts = str.match(/(\\\.|[^.]+?)+/g); + return parts.map(function mapMatches(value) { ++ if (value === "constructor" || value === "__proto__" || value === "prototype") { ++ return {} ++ } + var regexp = /^\[(\d+)\]$/; + var mArr = regexp.exec(value); + var parsed = null; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..2c7bbd9 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2020-7751.diff
