Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
[ Reason ] node-xmldom is vulnerable to prototype pollution [ Impact ] Medium security issue [ Tests ] No new test, test passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Add checks to avoid prototype pollution Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 51d769b..d16e01b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1021618, CVE-2022-37616) + + -- Yadd <[email protected]> Wed, 12 Oct 2022 10:07:56 +0200 + node-xmldom (0.1.27+ds-1) unstable; urgency=low * Initial release (Closes: #902311). Repacked from github diff --git a/debian/patches/CVE-2022-37616.patch b/debian/patches/CVE-2022-37616.patch new file mode 100644 index 0000000..a591260 --- /dev/null +++ b/debian/patches/CVE-2022-37616.patch @@ -0,0 +1,80 @@ +Description: Avoid iterating over prototype properties +Author: Christian Bewernitz <[email protected]> +Origin: upstream, https://github.com/xmldom/xmldom/commit/7c0d4b7f +Bug: https://github.com/xmldom/xmldom/issues/436 +Bug-Debian: https://bugs.debian.org/1021618 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2022-10-12 + +--- a/dom.js ++++ b/dom.js +@@ -7,7 +7,7 @@ + + function copy(src,dest){ + for(var p in src){ +- dest[p] = src[p]; ++ if (Object.prototype.hasOwnProperty.call(src, p)) dest[p] = src[p]; + } + } + /** +@@ -377,7 +377,7 @@ + //console.dir(map) + if(map){ + for(var n in map){ +- if(map[n] == namespaceURI){ ++ if(Object.prototype.hasOwnProperty.call(map, n) && map[n] == namespaceURI){ + return n; + } + } +@@ -393,7 +393,7 @@ + var map = el._nsMap; + //console.dir(map) + if(map){ +- if(prefix in map){ ++ if(Object.prototype.hasOwnProperty.call(map, prefix)){ + return map[prefix] ; + } + } +@@ -1143,12 +1143,14 @@ + function cloneNode(doc,node,deep){ + var node2 = new node.constructor(); + for(var n in node){ ++ if (Object.prototype.hasOwnProperty.call(node, n)) { + var v = node[n]; + if(typeof v != 'object' ){ + if(v != node2[n]){ + node2[n] = v; + } + } ++ } + } + if(node.childNodes){ + node2.childNodes = new NodeList(); +--- a/sax.js ++++ b/sax.js +@@ -122,6 +122,7 @@ + domBuilder.endElement(config.uri,config.localName,tagName); + if(localNSMap){ + for(var prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) ; + } + } +@@ -450,6 +451,7 @@ + domBuilder.endElement(ns,localName,tagName); + if(localNSMap){ + for(prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) + } + } +@@ -497,7 +499,7 @@ + //} + } + function _copy(source,target){ +- for(var n in source){target[n] = source[n]} ++ for(var n in source){if (Object.prototype.hasOwnProperty.call(source, n)) target[n] = source[n]} + } + function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!' + var next= source.charAt(start+2) diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..8f56e74 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-37616.patch
