[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 22:23, Salvatore Bonaccorso a écrit : > Hi Xavier, > > On Sat, Jul 20, 2019 at 05:44:05PM +0200, Xavier wrote: >> Le 20/07/2019 à 06:32, Paolo Greppi a écrit : >>> Package: node-mixin-deep >>> Version: 1.1.3-3 >>> Severity: important >>> >>> Dear Maintainer, >>> >>> node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: >>> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 >>> https://github.com/jonschlinkert/mixin-deep/issues/6 >>> >>> Please upgrade to either 1.3.2 or 2.0.1. >>> >>> Thanks, Paolo >> >> Hello, >> >> here is a proposed fix. > > Thanks for preparing a debdiff. Can you fix this via an upcoming point > release for buster? > > Regards, > Salvatore Of course, thanks for your work ! -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Hi Xavier, On Sat, Jul 20, 2019 at 05:44:05PM +0200, Xavier wrote: > Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > > Package: node-mixin-deep > > Version: 1.1.3-3 > > Severity: important > > > > Dear Maintainer, > > > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > > https://github.com/jonschlinkert/mixin-deep/issues/6 > > > > Please upgrade to either 1.3.2 or 2.0.1. > > > > Thanks, Paolo > > Hello, > > here is a proposed fix. Thanks for preparing a debdiff. Can you fix this via an upcoming point release for buster? Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > Package: node-mixin-deep > Version: 1.1.3-3 > Severity: important > > Dear Maintainer, > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > https://github.com/jonschlinkert/mixin-deep/issues/6 > > Please upgrade to either 1.3.2 or 2.0.1. > > Thanks, Paolo Hello, here is a proposed fix. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 17cb287..74f9154 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-mixin-deep (1.1.3-3+deb10u1) buster-security; urgency=medium + + * Fix prototype pollution (Closes: #932500, CVE-2019-10746) + + -- Xavier Guimard Sat, 20 Jul 2019 17:41:17 +0200 + node-mixin-deep (1.1.3-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2019-10746.diff b/debian/patches/CVE-2019-10746.diff new file mode 100644 index 000..cc4b58a --- /dev/null +++ b/debian/patches/CVE-2019-10746.diff @@ -0,0 +1,41 @@ +Description: Fix for CVE-2019-10746 (prototype pollution) +Author: Jon Schlinkert (https://github.com/jonschlinkert) +Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab +Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 +Bug-Debian: https://bugs.debian.org/932500 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-07-20 + +--- a/index.js b/index.js +@@ -23,10 +23,9 @@ + */ + + function copy(val, key) { +- if (key === '__proto__') { ++ if (!isValidKey(key)) { + return; + } +- + var obj = this[key]; + if (isObject(val) && isObject(obj)) { + mixinDeep(obj, val); +@@ -47,6 +46,17 @@ + } + + /** ++ * Returns true if `key` is a valid key to use when extending objects. ++ * ++ * @param {String} `key` ++ * @return {Boolean} ++ */ ++ ++function isValidKey(key) { ++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; ++}; ++ ++/** + * Expose `mixinDeep` + */ + diff --git a/debian/patches/series b/debian/patches/series index 9b10403..da1c174 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2018-3719.diff +CVE-2019-10746.diff -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > Package: node-mixin-deep > Version: 1.1.3-3 > Severity: important > > Dear Maintainer, > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: > https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 > https://github.com/jonschlinkert/mixin-deep/issues/6 > > Please upgrade to either 1.3.2 or 2.0.1. > > Thanks, Paolo Looking at upstream issue comment, this issue has been already reported by DSA and fixed (#898315, CVE-2018-3719) See https://salsa.debian.org/js-team/node-mixin-deep/blob/master/debian/patches/CVE-2018-3719.diff -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel