[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 22:23, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Sat, Jul 20, 2019 at 05:44:05PM +0200, Xavier wrote: >> Le 20/07/2019 à 06:32, Paolo Greppi a écrit : >>> Package: node-mixin-deep >>> Version: 1.1.3-3 >>> Severity: important >>> >>> Dear Maintainer, >>> >>> node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: >>> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 >>> https://github.com/jonschlinkert/mixin-deep/issues/6 >>> >>> Please upgrade to either 1.3.2 or 2.0.1. >>> >>> Thanks, Paolo >> >> Hello, >> >> here is a proposed fix. > > Thanks for preparing a debdiff. Can you fix this via an upcoming point > release for buster? > > Regards, > Salvatore Of course, thanks for your work ! -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Hi Xavier, On Sat, Jul 20, 2019 at 05:44:05PM +0200, Xavier wrote: > Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > > Package: node-mixin-deep > > Version: 1.1.3-3 > > Severity: important > > > > Dear Maintainer, > > > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > > https://github.com/jonschlinkert/mixin-deep/issues/6 > > > > Please upgrade to either 1.3.2 or 2.0.1. > > > > Thanks, Paolo > > Hello, > > here is a proposed fix. Thanks for preparing a debdiff. Can you fix this via an upcoming point release for buster? Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 06:32, Paolo Greppi a écrit :
> Package: node-mixin-deep
> Version: 1.1.3-3
> Severity: important
>
> Dear Maintainer,
>
> node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability:
> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
> https://github.com/jonschlinkert/mixin-deep/issues/6
>
> Please upgrade to either 1.3.2 or 2.0.1.
>
> Thanks, Paolo
Hello,
here is a proposed fix.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 17cb287..74f9154 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mixin-deep (1.1.3-3+deb10u1) buster-security; urgency=medium
+
+ * Fix prototype pollution (Closes: #932500, CVE-2019-10746)
+
+ -- Xavier Guimard Sat, 20 Jul 2019 17:41:17 +0200
+
node-mixin-deep (1.1.3-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2019-10746.diff
b/debian/patches/CVE-2019-10746.diff
new file mode 100644
index 000..cc4b58a
--- /dev/null
+++ b/debian/patches/CVE-2019-10746.diff
@@ -0,0 +1,41 @@
+Description: Fix for CVE-2019-10746 (prototype pollution)
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab
+Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
+Bug-Debian: https://bugs.debian.org/932500
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2019-07-20
+
+--- a/index.js
b/index.js
+@@ -23,10 +23,9 @@
+ */
+
+ function copy(val, key) {
+- if (key === '__proto__') {
++ if (!isValidKey(key)) {
+ return;
+ }
+-
+ var obj = this[key];
+ if (isObject(val) && isObject(obj)) {
+ mixinDeep(obj, val);
+@@ -47,6 +46,17 @@
+ }
+
+ /**
++ * Returns true if `key` is a valid key to use when extending objects.
++ *
++ * @param {String} `key`
++ * @return {Boolean}
++ */
++
++function isValidKey(key) {
++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++};
++
++/**
+ * Expose `mixinDeep`
+ */
+
diff --git a/debian/patches/series b/debian/patches/series
index 9b10403..da1c174 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2018-3719.diff
+CVE-2019-10746.diff
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > Package: node-mixin-deep > Version: 1.1.3-3 > Severity: important > > Dear Maintainer, > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > https://github.com/jonschlinkert/mixin-deep/issues/6 > > Please upgrade to either 1.3.2 or 2.0.1. > > Thanks, Paolo Looking at upstream issue comment, this issue has been already reported by DSA and fixed (#898315, CVE-2018-3719) See https://salsa.debian.org/js-team/node-mixin-deep/blob/master/debian/patches/CVE-2018-3719.diff -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
