--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-minimist/1.2.0-1+deb10u2
- From: Yadd <yadd@debian.org>
- Date: Wed, 23 Mar 2022 12:45:14 +0100
- Message-id: <164803591426.1204804.13942549735583871350.reportbug@debian007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-minimist is vulnerable to a prototype pollution not totally fixed
by CVE-2020-7598 patch (pushed in 1.2.5-1 and 1.2.0-1+deb10u1)
[ Impact ]
Medium vulnerability
[ Tests ]
Test updated by upstream, passed localy (sadly not enabled in buster)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better object check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 327fcb5..5d1f9d5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-minimist (1.2.0-1+deb10u2) buster; urgency=medium
+
+ * Fix prototype pollution (Closes: CVE-2021-44906)
+
+ -- Yadd <yadd@debian.org> Wed, 23 Mar 2022 12:42:36 +0100
+
node-minimist (1.2.0-1+deb10u1) buster; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-44906.patch b/debian/patches/CVE-2021-44906.patch
new file mode 100644
index 0000000..8f26607
--- /dev/null
+++ b/debian/patches/CVE-2021-44906.patch
@@ -0,0 +1,59 @@
+Description: Fix for prototype pollution
+ The initial fix for prototype pollution (cf. SNYK-JS-MINIMIST-559764) in
+ setKey() was insufficient.
+Author: Yadd <yadd@debian.org>
+Origin: upstream, https://github.com/substack/minimist/pull/165
+Bug: https://github.com/substack/minimist/issues/164
+Forwarded: not-needed
+Last-Update: 2022-03-23
+
+--- a/index.js
++++ b/index.js
+@@ -70,7 +70,7 @@
+ var o = obj;
+ for (var i = 0; i < keys.length-1; i++) {
+ var key = keys[i];
+- if (key === '__proto__') return;
++ if (isConstructorOrProto(o, key)) return;
+ if (o[key] === undefined) o[key] = {};
+ if (o[key] === Object.prototype || o[key] === Number.prototype
+ || o[key] === String.prototype) o[key] = {};
+@@ -79,7 +79,7 @@
+ }
+
+ var key = keys[keys.length - 1];
+- if (key === '__proto__') return;
++ if (isConstructorOrProto(o, key)) return;
+ if (o === Object.prototype || o === Number.prototype
+ || o === String.prototype) o = {};
+ if (o === Array.prototype) o = [];
+@@ -243,3 +243,7 @@
+ return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
+ }
+
++
++function isConstructorOrProto (obj, key) {
++ return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
++}
+--- a/test/parse.js
++++ b/test/parse.js
+@@ -195,3 +195,19 @@
+ t.same(argv.beep, { boop : true });
+ t.end();
+ });
++
++test('proto pollution (constructor function)', function (t) {
++ var argv = parse(['--_.concat.constructor.prototype.y', '123']);
++ function fnToBeTested() {}
++ t.equal(fnToBeTested.y, undefined);
++ t.equal(argv.y, undefined);
++ t.end();
++});
++
++// powered by snyk - https://github.com/backstage/backstage/issues/10343
++test('proto pollution (constructor function) snyk', function (t) {
++ var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
++ t.equal((function(){}).foo, undefined);
++ t.equal(argv.y, undefined);
++ t.end();
++})
diff --git a/debian/patches/series b/debian/patches/series
index 01db0e3..71e31e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
nodejs.patch
CVE-2020-7598.diff
+CVE-2021-44906.patch
--- End Message ---