Bug#1004384: bullseye-pu: package node-cached-path-relative/1.0.2-1+deb11u1

Wed, 26 Jan 2022 06:06:26 -0800 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
node-cached-path-relative is vulnerable to prototype pollution
(CVE-2021-23518)

[ Impact ]
Medium vulnerabilty

[ Tests ]
Test passed, no new check

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 9f42f71..fb79e59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-cached-path-relative (1.0.2-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2021-23518)
+
+ -- Yadd <y...@debian.org>  Wed, 26 Jan 2022 14:36:03 +0100
+
 node-cached-path-relative (1.0.2-1) unstable; urgency=medium
 
   * New upstream version: fix prototype pollution vulnerability
diff --git a/debian/patches/CVE-2021-23518.patch 
b/debian/patches/CVE-2021-23518.patch
new file mode 100644
index 0000000..99705bb
--- /dev/null
+++ b/debian/patches/CVE-2021-23518.patch
@@ -0,0 +1,28 @@
+Description: fix prototype pollution
+Origin: upstream, 
https://github.com/ashaffer/cached-path-relative/commit/40c73bf70
+Author: Andrew <dar...@gmail.com>
+Bug: https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-01-26
+
+--- a/lib/index.js
++++ b/lib/index.js
+@@ -27,7 +27,7 @@
+   // to invalidate the cache
+   var cwd = process.cwd()
+   if (cwd !== lastCwd) {
+-    cache = {}
++    cache = Object.create(null)
+     lastCwd = cwd
+   }
+ 
+@@ -35,7 +35,7 @@
+ 
+   var result = relative.call(path, from, to)
+ 
+-  cache[from] = cache[from] || {}
++  cache[from] = cache[from] || Object.create(null)
+   cache[from][to] = result
+ 
+   return result
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..625c955
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23518.patch

Reply via email to