Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, since stretch and buster have the same node-mixin-deep, I added here the same security patches than pushed in buster. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 2e47d2e..dca07c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-mixin-deep (1.1.3-1+deb9u1) stretch; urgency=medium + + * Team upload + * Fix prototype polution (Closes: #898315, CVE-2018-3719) + * Fix prototype pollution (Closes: #932500, CVE-2019-10746) + + -- Xavier Guimard <y...@debian.org> Mon, 09 Sep 2019 22:16:03 +0200 + node-mixin-deep (1.1.3-1) unstable; urgency=low * Initial release (Closes: #842329) diff --git a/debian/patches/CVE-2018-3719.diff b/debian/patches/CVE-2018-3719.diff new file mode 100644 index 0000000..868f5bb --- /dev/null +++ b/debian/patches/CVE-2018-3719.diff @@ -0,0 +1,22 @@ +Description: Fix prototype pollution (CVE-2018-3719) +Author: Jon Schlinkert <https://github.com/jonschlinkert> +Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c +Bug: https://www.npmjs.com/advisories/578 +Bug-Debian: https://bugs.debian.org/898315 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-04-21 + +--- a/index.js ++++ b/index.js +@@ -23,6 +23,10 @@ + */ + + function copy(val, key) { ++ if (key === '__proto__') { ++ return; ++ } ++ + var obj = this[key]; + if (isObject(val) && isObject(obj)) { + mixinDeep(obj, val); diff --git a/debian/patches/CVE-2019-10746.diff b/debian/patches/CVE-2019-10746.diff new file mode 100644 index 0000000..cc4b58a --- /dev/null +++ b/debian/patches/CVE-2019-10746.diff @@ -0,0 +1,41 @@ +Description: Fix for CVE-2019-10746 (prototype pollution) +Author: Jon Schlinkert (https://github.com/jonschlinkert) +Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab +Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 +Bug-Debian: https://bugs.debian.org/932500 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-07-20 + +--- a/index.js ++++ b/index.js +@@ -23,10 +23,9 @@ + */ + + function copy(val, key) { +- if (key === '__proto__') { ++ if (!isValidKey(key)) { + return; + } +- + var obj = this[key]; + if (isObject(val) && isObject(obj)) { + mixinDeep(obj, val); +@@ -47,6 +46,17 @@ + } + + /** ++ * Returns true if `key` is a valid key to use when extending objects. ++ * ++ * @param {String} `key` ++ * @return {Boolean} ++ */ ++ ++function isValidKey(key) { ++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; ++}; ++ ++/** + * Expose `mixinDeep` + */ + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..da1c174 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2018-3719.diff +CVE-2019-10746.diff