Bug#939897: stretch-pu: package node-mixin-deep/1.1.3-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
since stretch and buster have the same node-mixin-deep, I added here the
same security patches than pushed in buster.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 2e47d2e..dca07c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-mixin-deep (1.1.3-1+deb9u1) stretch; urgency=medium
+
+ * Team upload
+ * Fix prototype polution (Closes: #898315, CVE-2018-3719)
+ * Fix prototype pollution (Closes: #932500, CVE-2019-10746)
+
+ -- Xavier Guimard <yadd@debian.org> Mon, 09 Sep 2019 22:16:03 +0200
+
node-mixin-deep (1.1.3-1) unstable; urgency=low
* Initial release (Closes: #842329)
diff --git a/debian/patches/CVE-2018-3719.diff b/debian/patches/CVE-2018-3719.diff
new file mode 100644
index 0000000..868f5bb
--- /dev/null
+++ b/debian/patches/CVE-2018-3719.diff
@@ -0,0 +1,22 @@
+Description: Fix prototype pollution (CVE-2018-3719)
+Author: Jon Schlinkert <https://github.com/jonschlinkert>
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c
+Bug: https://www.npmjs.com/advisories/578
+Bug-Debian: https://bugs.debian.org/898315
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-04-21
+
+--- a/index.js
++++ b/index.js
+@@ -23,6 +23,10 @@
+ */
+
+ function copy(val, key) {
++ if (key === '__proto__') {
++ return;
++ }
++
+ var obj = this[key];
+ if (isObject(val) && isObject(obj)) {
+ mixinDeep(obj, val);
diff --git a/debian/patches/CVE-2019-10746.diff b/debian/patches/CVE-2019-10746.diff
new file mode 100644
index 0000000..cc4b58a
--- /dev/null
+++ b/debian/patches/CVE-2019-10746.diff
@@ -0,0 +1,41 @@
+Description: Fix for CVE-2019-10746 (prototype pollution)
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab
+Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
+Bug-Debian: https://bugs.debian.org/932500
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-07-20
+
+--- a/index.js
++++ b/index.js
+@@ -23,10 +23,9 @@
+ */
+
+ function copy(val, key) {
+- if (key === '__proto__') {
++ if (!isValidKey(key)) {
+ return;
+ }
+-
+ var obj = this[key];
+ if (isObject(val) && isObject(obj)) {
+ mixinDeep(obj, val);
+@@ -47,6 +46,17 @@
+ }
+
+ /**
++ * Returns true if `key` is a valid key to use when extending objects.
++ *
++ * @param {String} `key`
++ * @return {Boolean}
++ */
++
++function isValidKey(key) {
++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++};
++
++/**
+ * Expose `mixinDeep`
+ */
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..da1c174
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2018-3719.diff
+CVE-2019-10746.diff
Reply to: