Your message dated Sat, 06 Feb 2021 10:39:26 +0000
with message-id
<6425525e38201ecf9a2d3e0f1e63c0d3b08e0fc0.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 10.8
has caused the Debian Bug report #976392,
regarding buster-pu: package node-y18n/3.2.1-2+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
976392: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976392
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
node-y18n is vulnerable to prototype pollution
[ Impact ]
Little security risk
[ Tests ]
Test added in autopkgtest, and verified: fails without patch, succeeds
with patch
[ Risks ]
Low risk, upstream test + CVE test shows that all works
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a little change in variable initialization
Note: package already uploaded
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 72257ee..d969c10 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-y18n (3.2.1-2+deb10u1) buster; urgency=medium
+
+ * Team upload.
+ * Fix prototype pollution (Closes: #976390, CVE-2020-7774)
+
+ -- Xavier Guimard <y...@debian.org> Fri, 04 Dec 2020 15:41:08 +0100
+
node-y18n (3.2.1-2) unstable; urgency=medium
* Enable tests
diff --git a/debian/patches/CVE-2020-7774.patch
b/debian/patches/CVE-2020-7774.patch
new file mode 100644
index 0000000..2e292c1
--- /dev/null
+++ b/debian/patches/CVE-2020-7774.patch
@@ -0,0 +1,20 @@
+Description: fix for CVE-2020-7774
+Author: bcoe <ben...@google.com>
+Origin: upstream, bcoe <ben...@google.com>
+Bug: https://github.com/yargs/y18n/issues/96
+Bug-Debian: https://bugs.debian.org/976390
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <y...@debian.org>
+Last-Update: 2020-12-04
+
+--- a/index.js
++++ b/index.js
+@@ -11,7 +11,7 @@
+ this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ?
opts.fallbackToLanguage : true
+
+ // internal stuff.
+- this.cache = {}
++ this.cache = Object.create(null)
+ this.writeQueue = []
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7d69b10
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7774.patch
diff --git a/debian/tests/CVE-2020-7774-check b/debian/tests/CVE-2020-7774-check
new file mode 100755
index 0000000..8b5ff40
--- /dev/null
+++ b/debian/tests/CVE-2020-7774-check
@@ -0,0 +1,14 @@
+#!/usr/bin/nodejs
+
+const y18n = require('y18n')();
+//var polluted;
+y18n.setLocale('__proto__');
+y18n.updateLocale({polluted: true});
+try {
+if(polluted) console.error('Vulnerable to CVE-2020-7774');
+process.exit(polluted);
+}
+catch(e) {
+console.log('Not vulnerable to CVE-2020-7774');
+process.exit(0);
+}
diff --git a/debian/tests/control b/debian/tests/control
index 57de701..b19a2bc 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,4 +1,4 @@
-Tests: require
+Tests: require, CVE-2020-7774-check
Depends: node-y18n
Test-Command: mocha -R spec
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.8
Hi,
Each of the updates referenced by these bugs was included in today's
10.8 point release.
Regards,
Adam
--- End Message ---
