Bug#934704: buster-pu: package node-lodash/4.17.11+dfsg-2+deb10u1

2019-08-22 Thread Adam D. Barratt
Control: tags -1 + confirmed

On Tue, 2019-08-13 at 19:07 +0200, Xavier Guimard wrote:
> node-lodash is vulnerable to prototype pollution (#933079,
> CVE-2019-10744). I imported upstream fix in the attached debdiff.

Please go ahead.

Regards,

Adam



Bug#934704: buster-pu: package node-lodash/4.17.11+dfsg-2+deb10u1

2019-08-13 Thread Xavier Guimard
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi all,

node-lodash is vulnerable to prototype pollution (#933079,
CVE-2019-10744). I imported upstream fix in the attached debdiff.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 70f10cb..880adff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-lodash (4.17.11+dfsg-2+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #933079, CVE-2019-10744)
+
+ -- Xavier Guimard   Tue, 13 Aug 2019 19:02:17 +0200
+
 node-lodash (4.17.11+dfsg-2) unstable; urgency=medium
 
   * Drop modules directory (now generated from source)
diff --git a/debian/patches/CVE-2019-10744.patch 
b/debian/patches/CVE-2019-10744.patch
new file mode 100644
index 000..bdf0936
--- /dev/null
+++ b/debian/patches/CVE-2019-10744.patch
@@ -0,0 +1,34 @@
+Description: fix for CVE-2019-10744
+Author: Xavier Guimard 
+Origin: upstream, https://github.com/lodash/lodash/pull/4336/files
+Bug: https://github.com/lodash/lodash/issues/4348
+Bug-Debian: https://bugs.debian.org/933079
+Forwarded: not-needed
+Last-Update: 2019-08-13
+
+--- a/dist/lodash.js
 b/dist/lodash.js
+@@ -6613,6 +6613,10 @@
+  * @returns {*} Returns the property value.
+  */
+ function safeGet(object, key) {
++  if (key === 'constructor' && typeof object[key] === 'function') {
++return;
++  }
++
+   if (key == '__proto__') {
+ return;
+   }
+--- a/lodash.js
 b/lodash.js
+@@ -6613,6 +6613,10 @@
+  * @returns {*} Returns the property value.
+  */
+ function safeGet(object, key) {
++  if (key === 'constructor' && typeof object[key] === 'function') {
++return;
++  }
++
+   if (key == '__proto__') {
+ return;
+   }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..2dd5579
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-10744.patch