I forgot debdiff, sorry
Le 26/09/2019 à 20:11, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > > Hi, > > node-set-value is vulnerable to prototype pollution (#941189, > CVE-2019-10747). I imported and adapted upstream patch and added a test > inspired from CVE report [1]. I think this could be safely added to next > buster point release. > > Cheers, > Xavier > > [1]: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 >
diff --git a/debian/changelog b/debian/changelog index 49d174b..21101f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-set-value (0.4.0-1+deb10u1) buster; urgency=medium + + * Fix prototype pollution (Closes: #941189, CVE-2019-10747) + * Add test for CVE-2019-10747 + + -- Xavier Guimard <y...@debian.org> Thu, 26 Sep 2019 07:27:54 +0200 + node-set-value (0.4.0-1) unstable; urgency=low * Initial release (Closes: #842255) diff --git a/debian/patches/CVE-2019-10747.diff b/debian/patches/CVE-2019-10747.diff new file mode 100644 index 0000000..04075f8 --- /dev/null +++ b/debian/patches/CVE-2019-10747.diff @@ -0,0 +1,50 @@ +Description: Fix prototype pollution + Test is inspired from bug source +Author: Jon Schlinkert (https://github.com/jonschlinkert) +Origin: upstream, https://github.com/jonschlinkert/set-value/commit/cb12f149 +Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 +Bug-Debian: https://bugs.debian.org/941189 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-09-26 + +--- a/index.js ++++ b/index.js +@@ -24,7 +24,7 @@ + return obj; + } + +- var segs = path.split('.'); ++ var segs = path.split('.').filter(isValidKey); + var len = segs.length, i = -1; + var res = obj; + var last; +@@ -59,3 +59,7 @@ + } + return res; + }; ++ ++function isValidKey(key) { ++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; ++} +--- a/test.js ++++ b/test.js +@@ -148,3 +148,18 @@ + assert.deepEqual(o, { 'e.f': { 'g.h.i': { j: 1 } } }); + }); + }); ++ ++describe('CVE-2019-10747', function() { ++ it("shouldn't pollute prototype", function() { ++ var paths = [ ++ 'constructor.prototype.a0', ++ '__proto__.a1', ++ ]; ++ for (const p of paths) { ++ set({}, p, true); ++ } ++ for (let i = 0; i < paths.length; i++) { ++ assert.equal(({})[`a${i}`], null); ++ } ++ }); ++}); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..ca81722 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2019-10747.diff
