Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: node-dompur...@packages.debian.org, y...@debian.org Control: affects -1 + src:node-dompurify User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-dompurify is vulnerable to prototype pollutions. Note that CVE-2024-45801 cae with previous security fix pushed to Bookworm via security update (regression). [ Impact ] Low security issue [ Tests ] No tests in Bookworm for this package [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just some additional checks Best regards, Yadd
diff --git a/debian/changelog b/debian/changelog index 02c7a01..e9a5528 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-dompurify (2.4.1+dfsg+~2.4.0-2+deb12u1) bookworm; urgency=medium + + * Fix prototype pollutions (Closes: CVE-2024-45801, CVE-2024-48910) + + -- Yadd <y...@debian.org> Sat, 02 Nov 2024 07:15:24 +0100 + node-dompurify (2.4.1+dfsg+~2.4.0-2) bookworm-security; urgency=medium * Team upload diff --git a/debian/patches/CVE-2024-45801.patch b/debian/patches/CVE-2024-45801.patch new file mode 100644 index 0000000..3aa90c4 --- /dev/null +++ b/debian/patches/CVE-2024-45801.patch @@ -0,0 +1,74 @@ +Description: fix prototype pollution + Regression introduced into 2.4.1+dfsg+~2.4.0-2 +Author: Mario Heiderich <ma...@cure53.de> +Origin: upstream, https://github.com/cure53/DOMPurify/commit/26e1d69c +Bug: https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 +Forwarded: not-needed +Applied-Upstream: 2.5.1, https://github.com/cure53/DOMPurify/commit/26e1d69c +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-10-30 + +--- a/src/purify.js ++++ b/src/purify.js +@@ -14,6 +14,7 @@ + stringToString, + stringIndexOf, + stringTrim, ++ numberIsNaN, + regExpTest, + typeErrorCreate, + lookupGetter, +@@ -1484,8 +1485,14 @@ + } + } + +- /* Remove first element node (ours) if FORCE_BODY is set */ +- if (body && FORCE_BODY) { ++ /* ++ * Remove an element if nested too deeply to avoid mXSS ++ * or if the __depth might have been tampered with ++ */ ++ if ( ++ shadowNode.__depth >= MAX_NESTING_DEPTH || ++ numberIsNaN(shadowNode.__depth) ++ ) { + _forceRemove(body.firstChild); + } + +@@ -1520,8 +1527,14 @@ + } + } + +- /* Remove an element if nested too deeply to avoid mXSS */ +- if (currentNode.__depth >= MAX_NESTING_DEPTH) { ++ /* ++ * Remove an element if nested too deeply to avoid mXSS ++ * or if the __depth might have been tampered with ++ */ ++ if ( ++ currentNode.__depth >= MAX_NESTING_DEPTH || ++ numberIsNaN(currentNode.__depth) ++ ) { + _forceRemove(currentNode); + } + +--- a/src/utils.js ++++ b/src/utils.js +@@ -50,6 +50,8 @@ + + const typeErrorCreate = unconstruct(TypeError); + ++const numberIsNaN = unapply(Number.isNaN); ++ + export function unapply(func) { + return (thisArg, ...args) => apply(func, thisArg, args); + } +@@ -155,6 +157,8 @@ + stringToLowerCase, + stringToString, + stringTrim, ++ // Number ++ numberIsNaN, + // Errors + typeErrorCreate, + // Other diff --git a/debian/patches/CVE-2024-48910.patch b/debian/patches/CVE-2024-48910.patch new file mode 100644 index 0000000..41ccf65 --- /dev/null +++ b/debian/patches/CVE-2024-48910.patch @@ -0,0 +1,20 @@ +Description: fix prototype pollution +Author: Mario Heiderich <ma...@cure53.de> +Origin: upstream, https://github.com/cure53/DOMPurify/commit/d1dd0374 +Bug: https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr +Forwarded: not-needed +Applied-Upstream: 2.4.2 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-11-02 + +--- a/src/utils.js ++++ b/src/utils.js +@@ -97,7 +97,7 @@ + + let property; + for (property in object) { +- if (apply(hasOwnProperty, object, [property])) { ++ if (apply(hasOwnProperty, object, [property]) === true) { + newObject[property] = object[property]; + } + } diff --git a/debian/patches/series b/debian/patches/series index d5a92ec..5e38c3a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,3 @@ CVE-2024-47875.patch +CVE-2024-45801.patch +CVE-2024-48910.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
