Control: tags -1 - moreinfo
On 7/25/23 11:40, Jonathan Wiltshire wrote:
Control: tag -1 = bullseye moreinfo
On Mon, Jul 24, 2023 at 09:37:58PM +0100, Adam D. Barratt wrote:
On Mon, 2023-07-24 at 21:27 +0100, Jonathan Wiltshire wrote:
Control: tag -1 confirmed
On Sun, Jul 09, 2023 at 09:11:26AM +0400, Yadd wrote:
[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)
By all means go ahead, but it can't be accepted until the situation
in
testing is fixed up (unless we propogate the version from
bookworm-proposed-updates to testing).
The provided diff appears to be against the package in bookworm.
bullseye has 2.0.2-1.
Euf, right - sorry (too many releases started 'b'...)
Please revise the debdiff.
Thanks,
Sorry, here is the new debdiff
diff --git a/debian/changelog b/debian/changelog
index d790b40..59ef133 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd <y...@debian.org> Sun, 09 Jul 2023 08:46:31 +0400
+
node-dottie (2.0.2-1) unstable; urgency=medium
* New upstream version 2.0.2
diff --git a/debian/patches/CVE-2023-26132.patch
b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 0000000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen <ma...@mhansen.io>
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-07-09
+
+--- a/README.md
++++ b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+
++If you accept arbitrary/user-defined paths to `set` you should call
`Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+
+--- a/dottie.js
++++ b/dottie.js
+@@ -72,6 +72,7 @@
+ // Set nested value
+ Dottie.set = function(object, path, value, options) {
+ var pieces = Array.isArray(path) ? path : path.split('.'), current =
object, piece, length = pieces.length;
++ if (pieces[0] === '__proto__') return;
+
+ if (typeof current !== 'object') {
+ throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+
+ if (key.indexOf(options.delimiter) !== -1) {
+ pieces = key.split(options.delimiter);
++
++ if (pieces[0] === '__proto__') break;
++
+ piecesLength = pieces.length;
+ current = transformed;
+
+--- a/test/set.test.js
++++ b/test/set.test.js
+@@ -45,4 +45,12 @@
+ });
+ expect(data.foo.bar.baz).to.equal('someValue');
+ });
++
++ it('should not attempt to set __proto__', function () {
++ var data = {};
++
++ dottie.set(data, '__proto__.pollution', 'polluted');
++
++ expect(data.__proto__.pollution).to.be.undefined;
++ });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
++++ b/test/transform.test.js
+@@ -145,4 +145,16 @@
+ expect(transformed.user.location.city).to.equal('Zanzibar City');
+ expect(transformed.project.title).to.equal('dottie');
+ });
++
++ it("should guard against prototype pollution", function () {
++ var values = {
++ 'user.name': 'John Doe',
++ '__proto__.pollution': 'pollution'
++ };
++
++ var transformed = dottie.transform(values);
++ expect(transformed.user).not.to.equal(undefined);
++ expect(transformed.user.name).to.equal('John Doe');
++ expect(transformed.__proto__.pollution).to.be.undefined;
++ });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 0000000..e69de29
