[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution

Sat, 20 Jul 2019 08:48:40 -0700 

Le 20/07/2019 à 06:32, Paolo Greppi a écrit :
> Package: node-mixin-deep
> Version: 1.1.3-3
> Severity: important
> 
> Dear Maintainer,
> 
> node-mixin-deep 1.1.3-3  is affected by a prototype pollution vulnerability:
> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
> https://github.com/jonschlinkert/mixin-deep/issues/6
> 
> Please upgrade to either 1.3.2 or 2.0.1.
> 
> Thanks, Paolo

Hello,

here is a proposed fix.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 17cb287..74f9154 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mixin-deep (1.1.3-3+deb10u1) buster-security; urgency=medium
+
+  * Fix prototype pollution (Closes: #932500, CVE-2019-10746)
+
+ -- Xavier Guimard <y...@debian.org>  Sat, 20 Jul 2019 17:41:17 +0200
+
 node-mixin-deep (1.1.3-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2019-10746.diff 
b/debian/patches/CVE-2019-10746.diff
new file mode 100644
index 0000000..cc4b58a
--- /dev/null
+++ b/debian/patches/CVE-2019-10746.diff
@@ -0,0 +1,41 @@
+Description: Fix for CVE-2019-10746 (prototype pollution)
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab
+Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
+Bug-Debian: https://bugs.debian.org/932500
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <y...@debian.org>
+Last-Update: 2019-07-20
+
+--- a/index.js
++++ b/index.js
+@@ -23,10 +23,9 @@
+  */
+ 
+ function copy(val, key) {
+-  if (key === '__proto__') {
++  if (!isValidKey(key)) {
+     return;
+   }
+-
+   var obj = this[key];
+   if (isObject(val) && isObject(obj)) {
+     mixinDeep(obj, val);
+@@ -47,6 +46,17 @@
+ }
+ 
+ /**
++ * Returns true if `key` is a valid key to use when extending objects.
++ *
++ * @param  {String} `key`
++ * @return {Boolean}
++ */
++
++function isValidKey(key) {
++  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++};
++
++/**
+  * Expose `mixinDeep`
+  */
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 9b10403..da1c174 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2018-3719.diff
+CVE-2019-10746.diff

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to