Your message dated Sun, 01 Jan 2023 13:07:08 +0000
with message-id <e1pby3q-002gak...@fasolo.debian.org>
and subject line Bug#1027145: fixed in node-json5 2.2.3+dfsg-1
has caused the Debian Bug report #1027145,
regarding node-json5: CVE-2022-46175
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1027145: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027145
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-json5
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-json5.
CVE-2022-46175[0]:
| JSON5 is an extension to the popular JSON file format that aims to be
| easier to write and maintain by hand (e.g. for config files). The
| `parse` method of the JSON5 library before and including version
| `2.2.1` does not restrict parsing of keys named `__proto__`, allowing
| specially crafted strings to pollute the prototype of the resulting
| object. This vulnerability pollutes the prototype of the object
| returned by `JSON5.parse` and not the global Object prototype, which
| is the commonly understood definition of Prototype Pollution. However,
| polluting the prototype of a single object can have significant
| security impact for an application if the object is later used in
| trusted operations. This vulnerability could allow an attacker to set
| arbitrary and unexpected keys on the object returned from
| `JSON5.parse`. The actual impact will depend on how applications
| utilize the returned object and how they filter unwanted keys, but
| could include denial of service, cross-site scripting, elevation of
| privilege, and in extreme cases, remote code execution. `JSON5.parse`
| should restrict parsing of `__proto__` keys when parsing JSON strings
| to objects. As a point of reference, the `JSON.parse` method included
| in JavaScript ignores `__proto__` keys. Simply changing `JSON5.parse`
| to `JSON.parse` in the examples above mitigates this vulnerability.
| This vulnerability is patched in json5 version 2.2.2 and later.
https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
https://github.com/json5/json5/issues/199
https://github.com/json5/json5/issues/295
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-46175
https://www.cve.org/CVERecord?id=CVE-2022-46175
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-json5
Source-Version: 2.2.3+dfsg-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-json5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1027...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-json5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 01 Jan 2023 16:28:09 +0400
Source: node-json5
Architecture: source
Version: 2.2.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1027145
Changes:
node-json5 (2.2.3+dfsg-1) unstable; urgency=medium
.
* Team upload
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
* Update standards version to 4.6.2, no changes needed
* New upstream version (Closes: #1027145, CVE-2022-46175)
Checksums-Sha1:
bfbe2369261bb54840852dcda1214c3047401618 2115 node-json5_2.2.3+dfsg-1.dsc
774b428ee03fc7bc3afe14bf505aeb46bf81bebc 60060
node-json5_2.2.3+dfsg.orig.tar.xz
e8feb5370e5138408b0265d10ebd812d535f6ff1 5100
node-json5_2.2.3+dfsg-1.debian.tar.xz
Checksums-Sha256:
2f77fc0a85852fe80f87461b6b27e29564658084f274f807494c7c6d1379735c 2115
node-json5_2.2.3+dfsg-1.dsc
01664ea79a36f8e4fff2accf487908ae2444bc6430bcf4a960f4a64398383e92 60060
node-json5_2.2.3+dfsg.orig.tar.xz
b5a789bdc548b9ddf4165966642a54af5718d8f8570c444c623704a1269e3d9c 5100
node-json5_2.2.3+dfsg-1.debian.tar.xz
Files:
6873250e6b3326efa1f14ff36312d9d9 2115 javascript optional
node-json5_2.2.3+dfsg-1.dsc
787ac918f084bf75d2bdb0ec2d24301b 60060 javascript optional
node-json5_2.2.3+dfsg.orig.tar.xz
ac9a7c6f2e6b03da35eeaa49c081be24 5100 javascript optional
node-json5_2.2.3+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmOxgYcACgkQ9tdMp8mZ
7ukwTQ/+IfmIvxMbJMvzY03jghgPlgLpPJ8G8ZM5mwNJkpI9zCGixPWW6gK5loOO
FKvYcCZKe1H2ssinBjM1qlFldvEB1quhZ4CxUih+JFRp8MUSfkrMKxw3x7bnKvDB
fX9o4UXje7N0obv+fYYOXhWlRjg9vq/DVCB1CTYRGC5DmmD5fd8ZiLRdih+hccii
kXrkOLC+nB/FCcBEdCUEhMd6yv+I6aiR7tbsRBWPpnk/Q7aVSe1bLlFGM28q3oyZ
75vzeMVVqCmS2aelkL2eFOJ85hS3mFR2yF0q5tvy2CDAZBWJmmkGW76nlbbT3rwf
+gqlnx//4uuv2TljfT5BtTYTlrpjKSiQlZO9daD+kuSz7RdDPvuK4xR1jSDgfScn
u5w/m4o8sBYCv7yustFwB3QNZWL88NrVJvU4sj7s09R4KOAh4RgUqJEUW1pMe9NE
45FSlniPt+kTpBA0fIUXItxPTHJ7AmcREd/a/SPe7lUBTAlKemEfndMzdb6veaRo
HYHi5WGVsWUJ4y1GuzutryrWvTNliGIX0D/Zb/sHRbjjLYVMwyCGGtw7azE0JViN
ySRJvk9pUOiGicjMrRX69WMj3L3UNixpa0XY5Ip50NejHUu/2XjA7Ed5OWy41JSq
Wr3V+vfmvjJN8Tb93OmwgNzOgDCuQU68UsoOd97ic4fhPnna5NA=
=q+ZC
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
