Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, 2 new vulnerabilities have been published for dojo: prototype pollutions. I imported the 2 upstream fixes here. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index f2dfbd6c..d4aae875 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium + + * Team upload + * Fix prototype pollution in deepCopy method (Closes: #953585, + CVE-2020-5258) + * Fix Prototype Pollution in jqMix method (Closes: #953587, CVE-2020-5259) + + -- Xavier Guimard <y...@debian.org> Wed, 11 Mar 2020 06:18:23 +0100 + dojo (1.14.2+dfsg1-1+deb10u1) buster; urgency=medium * Team upload diff --git a/debian/patches/CVE-2020-5258.diff b/debian/patches/CVE-2020-5258.diff new file mode 100644 index 00000000..4aefd61d --- /dev/null +++ b/debian/patches/CVE-2020-5258.diff @@ -0,0 +1,20 @@ +Description: fix Prototype Pollution +Author: Nick Nisi +Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1 +Bug: https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 +Bug-Debian: https://bugs.debian.org/953585 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-03-11 + +--- a/dojo/request/util.js ++++ b/dojo/request/util.js +@@ -13,7 +13,7 @@ + for (var name in source) { + var tval = target[name], + sval = source[name]; +- if (tval !== sval) { ++ if (name !== '__proto__' && tval !== sval) { + if (sval && typeof sval === 'object' && !(has('native-formdata') && sval instanceof FormData)) { + if (Object.prototype.toString.call(sval) === '[object Date]') { // use this date test to handle crossing frame boundaries + target[name] = new Date(sval); diff --git a/debian/patches/CVE-2020-5259.diff b/debian/patches/CVE-2020-5259.diff new file mode 100644 index 00000000..3d05ed7e --- /dev/null +++ b/debian/patches/CVE-2020-5259.diff @@ -0,0 +1,20 @@ +Description: fix prototype pollution in jqMix method +Author: Nick Nisi +Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1 +Bug: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw +Bug-Debian: https://bugs.debian.org/953587 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-03-11 + +--- a/dojox/jq.js ++++ b/dojox/jq.js +@@ -455,7 +455,7 @@ + // inherited from Object.prototype. For example, if obj has a custom + // toString() method, don't overwrite it with the toString() method + // that props inherited from Object.prototype +- if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){ ++ if(x !== '__proto__ ' && ((tobj[x] === undefined || tobj[x] != props[x])) && props[x] !== undefined && obj != props[x]){ + if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){ + if(dojo.isArray(props[x])){ + obj[x] = props[x]; diff --git a/debian/patches/series b/debian/patches/series index b0f5ff11..d5b7db42 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,5 @@ 0002-Do-notrun-test-suite-in-build.patch 0003-Disable-flash-storage.patch CVE-2019-10785.patch +CVE-2020-5258.diff +CVE-2020-5259.diff
