Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Another prototype pollution (CVE-2020-28282) [ Impact ] Low sucurity issue [ Tests ] Sadly no test [ Risks ] No risk (patch is trivial) [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] New check Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 52c376a..ebd18a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-getobject (0.1.0-2+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2020-28282) + + -- Yadd <y...@debian.org> Sat, 16 Oct 2021 13:55:46 +0200 + node-getobject (0.1.0-2) unstable; urgency=medium * Fix Vcs-Git url diff --git a/debian/patches/CVE-2020-28282.patch b/debian/patches/CVE-2020-28282.patch new file mode 100644 index 0000000..9fb7cc9 --- /dev/null +++ b/debian/patches/CVE-2020-28282.patch @@ -0,0 +1,20 @@ +Description: Do not allow setting of __proto__ +Author: Vlad Filippov <vlad.filip...@gmail.com> +Bug: https://security-tracker.debian.org/tracker/CVE-2020-28282 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-10-16 + +--- a/lib/getobject.js ++++ b/lib/getobject.js +@@ -41,6 +41,10 @@ + // as we go. + getobject.set = function(obj, parts, value) { + parts = getParts(parts); ++ if (parts.includes('__proto__')) { ++ // do not allow setting of __proto__. See CVE-2020-28282. ++ return; ++ } + + var prop = parts.pop(); + obj = getobject.get(obj, parts, true); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..b74a7fb --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2020-28282.patch