Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-xmldom is vulnerable to prototype pollution [ Impact ] Medium security issue [ Tests ] No new test, curent tests passed with a snapshot update (`jest -u`) [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Add checks to avoid prototype pollution. Update also snapshots during test (`jest -u`) Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 41abbd3..e486812 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xmldom (0.5.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1021618, CVE-2022-37616) + + -- Yadd <y...@debian.org> Wed, 12 Oct 2022 09:11:06 +0200 + node-xmldom (0.5.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-37616.patch b/debian/patches/CVE-2022-37616.patch new file mode 100644 index 0000000..4bf06b6 --- /dev/null +++ b/debian/patches/CVE-2022-37616.patch @@ -0,0 +1,80 @@ +Description: Avoid iterating over prototype properties +Author: Christian Bewernitz <co...@karfau.de> +Origin: upstream, https://github.com/xmldom/xmldom/commit/7c0d4b7f +Bug: https://github.com/xmldom/xmldom/issues/436 +Bug-Debian: https://bugs.debian.org/1021618 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-10-12 + +--- a/lib/dom.js ++++ b/lib/dom.js +@@ -1,6 +1,8 @@ + function copy(src,dest){ + for(var p in src){ ++ if (Object.prototype.hasOwnProperty.call(src, p)) { + dest[p] = src[p]; ++ } + } + } + /** +@@ -371,7 +373,7 @@ + //console.dir(map) + if(map){ + for(var n in map){ +- if(map[n] == namespaceURI){ ++ if(Object.prototype.hasOwnProperty.call(map, n) && map[n] == namespaceURI){ + return n; + } + } +@@ -387,7 +389,7 @@ + var map = el._nsMap; + //console.dir(map) + if(map){ +- if(prefix in map){ ++ if(Object.prototype.hasOwnProperty.call(map, prefix)){ + return map[prefix] ; + } + } +@@ -1170,12 +1172,14 @@ + function cloneNode(doc,node,deep){ + var node2 = new node.constructor(); + for(var n in node){ ++ if (Object.prototype.hasOwnProperty.call(node, n)) { + var v = node[n]; + if(typeof v != 'object' ){ + if(v != node2[n]){ + node2[n] = v; + } + } ++ } + } + if(node.childNodes){ + node2.childNodes = new NodeList(); +--- a/lib/sax.js ++++ b/lib/sax.js +@@ -137,6 +137,7 @@ + domBuilder.endElement(config.uri,config.localName,tagName); + if(localNSMap){ + for(var prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) ; + } + } +@@ -475,6 +476,7 @@ + domBuilder.endElement(ns,localName,tagName); + if(localNSMap){ + for(prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) + } + } +@@ -522,7 +524,7 @@ + //} + } + function _copy(source,target){ +- for(var n in source){target[n] = source[n]} ++ for(var n in source){if (Object.prototype.hasOwnProperty.call(source, n)) target[n] = source[n]} + } + function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!' + var next= source.charAt(start+2) diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..8f56e74 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-37616.patch diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test index 12fbf82..aab41f7 100644 --- a/debian/tests/pkg-js/test +++ b/debian/tests/pkg-js/test @@ -1,2 +1,2 @@ # Text that require xmltest are disabled: xmltest contains a non free file -jest --ci --testRegex `find test/ -name '*.test.js'|grep -v -f debian/tests/test_exclude` +jest -u --ci --testRegex `find test/ -name '*.test.js'|grep -v -f debian/tests/test_exclude`
