Your message dated Sat, 09 May 2020 11:53:52 +0100 with message-id <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk> and subject line Closing requests included in 10.4 point release has caused the Debian Bug report #954398, regarding buster-pu: package node-dot/1.1.1-1+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 954398: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954398 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-dot/1.1.1-1+deb10u1
- From: Xavier Guimard <yadd@debian.org>
- Date: Sat, 21 Mar 2020 09:29:04 +0100
- Message-id: <158477934485.4060413.16287113308644770.reportbug@deb007.xnr.fr>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hi, node-dot ≤ 1.1.2 is vulnerable to code execution after prototype pollution. I imported upstream fix and wrote a basic test to verify that CVE is really fixed. Cheers, Xavierdiff --git a/debian/changelog b/debian/changelog index 6b07063..9face10 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-dot (1.1.1-1+deb10u1) buster; urgency=medium + + * Team upload + * Add CVE-2020-8141 test + * Prevent code execution after prototype pollution (Closes: CVE-2020-8141) + + -- Xavier Guimard <yadd@debian.org> Sat, 21 Mar 2020 09:23:57 +0100 + node-dot (1.1.1-1) unstable; urgency=low * Initial release (Closes: #862235) diff --git a/debian/patches/CVE-2020-8141.diff b/debian/patches/CVE-2020-8141.diff new file mode 100644 index 0000000..f1ceb77 --- /dev/null +++ b/debian/patches/CVE-2020-8141.diff @@ -0,0 +1,21 @@ +Description: fix for CVE-2020-8141 + prevent possibility of execution of the code injected via prototype pollution + when undefined is passed to compiled template function +Author: Evgeny Poberezkin +Origin: upstream, https://github.com/olado/doT/commit/2cf222683 +Bug: https://github.com/olado/doT/issues/291 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <yadd@debian.org> +Last-Update: 2020-03-21 + +--- a/index.js ++++ b/index.js +@@ -42,7 +42,7 @@ + if (this.__destination[this.__destination.length-1] !== '/') this.__destination += '/'; + this.__global = o.global || "window.render"; + this.__rendermodule = o.rendermodule || {}; +- this.__settings = o.templateSettings ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined; ++ this.__settings = Object.prototype.hasOwnProperty.call(o,"templateSettings") ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined; + this.__includes = {}; + } + diff --git a/debian/patches/series b/debian/patches/series index a2a471b..4216fcb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ use-nodejs.patch +CVE-2020-8141.diff diff --git a/debian/rules b/debian/rules index fd7ead0..7af6067 100755 --- a/debian/rules +++ b/debian/rules @@ -11,3 +11,7 @@ override_dh_auto_test: mocha -R spec test/*.test.js + mkdir node_modules + ln -s .. node_modules/dot + sh -ex debian/tests/cve-2020-8141 + rm -rf node_modules diff --git a/debian/tests/control b/debian/tests/control index ac27cb1..362b343 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -3,3 +3,6 @@ Depends: node-dot Test-Command: mocha -R spec test/*.test.js Depends: @, mocha + +Tests: cve-2020-8141 +Depends: @, nodejs diff --git a/debian/tests/cve-2020-8141 b/debian/tests/cve-2020-8141 new file mode 100755 index 0000000..0a0b214 --- /dev/null +++ b/debian/tests/cve-2020-8141 @@ -0,0 +1,9 @@ +#!/bin/sh + +cd debian/tests +if node ./cve-2020-8141.js | grep 25; then + echo "node-dot is vulnerable to CVE 2020-8141" + exit 1 +else + echo "node-dot seems patched" +fi diff --git a/debian/tests/cve-2020-8141.js b/debian/tests/cve-2020-8141.js new file mode 100644 index 0000000..94f3639 --- /dev/null +++ b/debian/tests/cve-2020-8141.js @@ -0,0 +1,3 @@ +var doT = require("dot"); // prototype pollution attack vector +Object.prototype.templateSettings = {varname:"a,b,c,d,x=console.log(25)"}; // benign looking template compilation + application +var dots = require("dot").process({path: "./resources"}); dots.mytemplate(); diff --git a/debian/tests/resources/mytemplate.dot b/debian/tests/resources/mytemplate.dot new file mode 100644 index 0000000..75e06f7 --- /dev/null +++ b/debian/tests/resources/mytemplate.dot @@ -0,0 +1 @@ +html <h1>Here is a sample template</h1>
--- End Message ---
--- Begin Message ---
- To: 932251-done@bugs.debian.org, 933839-done@bugs.debian.org, 939120-done@bugs.debian.org, 942520-done@bugs.debian.org, 943889-done@bugs.debian.org, 947102-done@bugs.debian.org, 947142-done@bugs.debian.org, 947172-done@bugs.debian.org, 947442-done@bugs.debian.org, 948333-done@bugs.debian.org, 948381-done@bugs.debian.org, 948786-done@bugs.debian.org, 948855-done@bugs.debian.org, 949113-done@bugs.debian.org, 949702-done@bugs.debian.org, 949890-done@bugs.debian.org, 949891-done@bugs.debian.org, 949897-done@bugs.debian.org, 949921-done@bugs.debian.org, 950104-done@bugs.debian.org, 950105-done@bugs.debian.org, 950478-done@bugs.debian.org, 950546-done@bugs.debian.org, 950547-done@bugs.debian.org, 950655-done@bugs.debian.org, 950765-done@bugs.debian.org, 950773-done@bugs.debian.org, 950795-done@bugs.debian.org, 950854-done@bugs.debian.org, 950918-done@bugs.debian.org, 951146-done@bugs.debian.org, 951399-done@bugs.debian.org, 951563-done@bugs.debian.org, 951761-done@bugs.debian.org, 951769-done@bugs.debian.org, 951871-done@bugs.debian.org, 952414-done@bugs.debian.org, 952441-done@bugs.debian.org, 952586-done@bugs.debian.org, 952785-done@bugs.debian.org, 953005-done@bugs.debian.org, 953124-done@bugs.debian.org, 953246-done@bugs.debian.org, 953647-done@bugs.debian.org, 953737-done@bugs.debian.org, 953797-done@bugs.debian.org, 954001-done@bugs.debian.org, 954073-done@bugs.debian.org, 954269-done@bugs.debian.org, 954398-done@bugs.debian.org, 954404-done@bugs.debian.org, 954714-done@bugs.debian.org, 954757-done@bugs.debian.org, 954835-done@bugs.debian.org, 954838-done@bugs.debian.org, 954862-done@bugs.debian.org, 954985-done@bugs.debian.org, 955395-done@bugs.debian.org, 955410-done@bugs.debian.org, 955508-done@bugs.debian.org, 955509-done@bugs.debian.org, 955510-done@bugs.debian.org, 955547-done@bugs.debian.org, 955860-done@bugs.debian.org, 956155-done@bugs.debian.org, 956216-done@bugs.debian.org, 956315-done@bugs.debian.org, 956533-done@bugs.debian.org, 956535-done@bugs.debian.org, 956536-done@bugs.debian.org, 956801-done@bugs.debian.org, 956861-done@bugs.debian.org, 956890-done@bugs.debian.org, 956913-done@bugs.debian.org, 956932-done@bugs.debian.org, 958053-done@bugs.debian.org, 958141-done@bugs.debian.org, 958173-done@bugs.debian.org, 958395-done@bugs.debian.org, 958399-done@bugs.debian.org, 958489-done@bugs.debian.org, 958490-done@bugs.debian.org, 958568-done@bugs.debian.org, 958714-done@bugs.debian.org, 958716-done@bugs.debian.org, 958814-done@bugs.debian.org, 958887-done@bugs.debian.org, 958916-done@bugs.debian.org, 958931-done@bugs.debian.org, 958969-done@bugs.debian.org, 958994-done@bugs.debian.org, 959081-done@bugs.debian.org, 959101-done@bugs.debian.org, 959224-done@bugs.debian.org, 959431-done@bugs.debian.org, 959489-done@bugs.debian.org, 948191-done@bugs.debian.org
- Subject: Closing requests included in 10.4 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 May 2020 11:53:52 +0100
- Message-id: <fd7fa4d56896c35aab49a5a51cb69727dc60e87a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.4 Hi, Each of the uploads referred to by these bugs was included in today's stable point release. Regards, Adam
--- End Message ---