Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi all, node-lodash is vulnerable to prototype pollution (#933079, CVE-2019-10744). I imported upstream fix in the attached debdiff. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 70f10cb..880adff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-lodash (4.17.11+dfsg-2+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #933079, CVE-2019-10744) + + -- Xavier Guimard <y...@debian.org> Tue, 13 Aug 2019 19:02:17 +0200 + node-lodash (4.17.11+dfsg-2) unstable; urgency=medium * Drop modules directory (now generated from source) diff --git a/debian/patches/CVE-2019-10744.patch b/debian/patches/CVE-2019-10744.patch new file mode 100644 index 0000000..bdf0936 --- /dev/null +++ b/debian/patches/CVE-2019-10744.patch @@ -0,0 +1,34 @@ +Description: fix for CVE-2019-10744 +Author: Xavier Guimard <y...@debian.org> +Origin: upstream, https://github.com/lodash/lodash/pull/4336/files +Bug: https://github.com/lodash/lodash/issues/4348 +Bug-Debian: https://bugs.debian.org/933079 +Forwarded: not-needed +Last-Update: 2019-08-13 + +--- a/dist/lodash.js ++++ b/dist/lodash.js +@@ -6613,6 +6613,10 @@ + * @returns {*} Returns the property value. + */ + function safeGet(object, key) { ++ if (key === 'constructor' && typeof object[key] === 'function') { ++ return; ++ } ++ + if (key == '__proto__') { + return; + } +--- a/lodash.js ++++ b/lodash.js +@@ -6613,6 +6613,10 @@ + * @returns {*} Returns the property value. + */ + function safeGet(object, key) { ++ if (key === 'constructor' && typeof object[key] === 'function') { ++ return; ++ } ++ + if (key == '__proto__') { + return; + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..2dd5579 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2019-10744.patch
