Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-minimist is vulnerable to a prototype pollution not totally fixed by CVE-2020-7598 patch (pushed in 1.2.5-1 and 1.2.0-1+deb10u1) [ Impact ] Medium vulnerability [ Tests ] Test updated by upstream, passed localy (sadly not enabled in buster) [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better object check Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 327fcb5..5d1f9d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-minimist (1.2.0-1+deb10u2) buster; urgency=medium + + * Fix prototype pollution (Closes: CVE-2021-44906) + + -- Yadd <y...@debian.org> Wed, 23 Mar 2022 12:42:36 +0100 + node-minimist (1.2.0-1+deb10u1) buster; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-44906.patch b/debian/patches/CVE-2021-44906.patch new file mode 100644 index 0000000..8f26607 --- /dev/null +++ b/debian/patches/CVE-2021-44906.patch @@ -0,0 +1,59 @@ +Description: Fix for prototype pollution + The initial fix for prototype pollution (cf. SNYK-JS-MINIMIST-559764) in + setKey() was insufficient. +Author: Yadd <y...@debian.org> +Origin: upstream, https://github.com/substack/minimist/pull/165 +Bug: https://github.com/substack/minimist/issues/164 +Forwarded: not-needed +Last-Update: 2022-03-23 + +--- a/index.js ++++ b/index.js +@@ -70,7 +70,7 @@ + var o = obj; + for (var i = 0; i < keys.length-1; i++) { + var key = keys[i]; +- if (key === '__proto__') return; ++ if (isConstructorOrProto(o, key)) return; + if (o[key] === undefined) o[key] = {}; + if (o[key] === Object.prototype || o[key] === Number.prototype + || o[key] === String.prototype) o[key] = {}; +@@ -79,7 +79,7 @@ + } + + var key = keys[keys.length - 1]; +- if (key === '__proto__') return; ++ if (isConstructorOrProto(o, key)) return; + if (o === Object.prototype || o === Number.prototype + || o === String.prototype) o = {}; + if (o === Array.prototype) o = []; +@@ -243,3 +243,7 @@ + return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x); + } + ++ ++function isConstructorOrProto (obj, key) { ++ return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__'; ++} +--- a/test/parse.js ++++ b/test/parse.js +@@ -195,3 +195,19 @@ + t.same(argv.beep, { boop : true }); + t.end(); + }); ++ ++test('proto pollution (constructor function)', function (t) { ++ var argv = parse(['--_.concat.constructor.prototype.y', '123']); ++ function fnToBeTested() {} ++ t.equal(fnToBeTested.y, undefined); ++ t.equal(argv.y, undefined); ++ t.end(); ++}); ++ ++// powered by snyk - https://github.com/backstage/backstage/issues/10343 ++test('proto pollution (constructor function) snyk', function (t) { ++ var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' ')); ++ t.equal((function(){}).foo, undefined); ++ t.equal(argv.y, undefined); ++ t.end(); ++}) diff --git a/debian/patches/series b/debian/patches/series index 01db0e3..71e31e0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ nodejs.patch CVE-2020-7598.diff +CVE-2021-44906.patch
