--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-deep-extend
Hi all,
node-deep-extend is vulnerable to CVE-2018-3750 [1]. This vulnerability
has been tagged as unimportant, however patch is simple and package is
outdated (VCS fields, bad section, bad copyright years) and upstream tests
were not enabled. I fixed this in version 0.4.1-2. Here is the full changes:
* Add patch to prevent Object prototype pollution
(Closes: #926616, CVE-2018-3750)
* Enable upstream tests using pkg-js-tools
* Fix VCS fields
* Fix debian/copyright years
* Add upstream/metadata
* Change section to javascript
node-deep-extend has no build reverse dependencies.
Reverse dependencies:
node-rc
node-registry-url & node-registry-auth-token
node-package-json
node-latest-version
npm
npm2deb
node-pre-gyp
node-sqlite3
node-mbtiles
node-tilejson
node-millstone
node-zipfile
node-millstone
node-mapnik
node-tilelive-bridge
node-tilelive-vector
node-tilelive-mapnik
node-opencv
Since patch seems to have no consequences on normal node-deep-extend
usage, I think it is low risky to unblock node-deep-extend.
Patch comes from
https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
(I just taked the useful part of it).
Cheers,
Xavier
[1]: https://security-tracker.debian.org/tracker/CVE-2018-3750
unblock node-deep-extend/0.4.1-2
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 5b0e688..e4e0c2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,18 @@
+node-deep-extend (0.4.1-2) unstable; urgency=medium
+
+ * Team upload
+ * Add patch to prevent Object prototype pollution
+ (Closes: #926616, CVE-2018-3750)
+ * Enable upstream tests using pkg-js-tools
+ * Fix VCS fields
+ * Fix debian/copyright years
+ * Add upstream/metadata
+ * Change section to javascript
+
+ -- Xavier Guimard <yadd@debian.org> Mon, 08 Apr 2019 14:52:06 +0200
+
node-deep-extend (0.4.1-1) unstable; urgency=medium
- * Initial release
+ * Initial release
-- Thorsten Alteholz <debian@alteholz.de> Mon, 22 Feb 2016 18:16:21 +0100
-
diff --git a/debian/control b/debian/control
index 72892ea..4db1cb8 100644
--- a/debian/control
+++ b/debian/control
@@ -1,22 +1,24 @@
Source: node-deep-extend
-Section: web
-Priority: optional
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Uploaders: Thorsten Alteholz <debian@alteholz.de>
-Build-Depends:
- debhelper (>= 9)
- , dh-buildinfo
- , nodejs
-Standards-Version: 3.9.7
+Section: javascript
+Testsuite: autopkgtest-pkg-nodejs
+Priority: optional
+Build-Depends: debhelper (>= 9),
+ dh-buildinfo,
+ mocha,
+ nodejs,
+ node-should,
+ pkg-js-tools
+Standards-Version: 4.3.0
+Vcs-Browser: https://salsa.debian.org/js-team/node-deep-extend
+Vcs-Git: https://salsa.debian.org/js-team/node-deep-extend.git
Homepage: https://github.com/unclechu/node-deep-extend
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-deep-extend.git
-Vcs-Browser: https://anonscm.debian.org/gitweb/?p=pkg-javascript/node-deep-extend.git
Package: node-deep-extend
Architecture: all
-Depends:
- ${misc:Depends}
- , nodejs
+Depends: ${misc:Depends},
+ nodejs
Description: Recursive object extending
This module does a recursive object extending.
.
diff --git a/debian/copyright b/debian/copyright
index 28c1d90..a1f8541 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,14 +1,14 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: deep-extend
Upstream-Contact: https://github.com/unclechu/node-deep-extend/issues
Source: https://github.com/unclechu/node-deep-extend
Files: *
-Copyright: 2016 Viacheslav Lotsmanov <lotsmanov89@gmail.com>
+Copyright: 2013-2015, Viacheslav Lotsmanov <lotsmanov89@gmail.com>
License: Expat
Files: debian/*
-Copyright: 2016 Thorsten Alteholz <debian@alteholz.de>
+Copyright: 2016, Thorsten Alteholz <debian@alteholz.de>
License: Expat
License: Expat
@@ -31,4 +31,3 @@ License: Expat
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-
diff --git a/debian/patches/cve-2018-3750.diff b/debian/patches/cve-2018-3750.diff
new file mode 100644
index 0000000..429af12
--- /dev/null
+++ b/debian/patches/cve-2018-3750.diff
@@ -0,0 +1,29 @@
+Description: Fix for CVE-2018-3750
+Author: Xavier Guimard <yadd@debian.org>
+Origin: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
+Bug: https://security-tracker.debian.org/tracker/CVE-2018-3750
+Bug-Debian: https://bugs.debian.org/926616
+Forwarded: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
+Last-Update: 2019-04-08
+
+--- a/lib/deep-extend.js
++++ b/lib/deep-extend.js
+@@ -102,8 +102,8 @@
+ }
+
+ Object.keys(obj).forEach(function (key) {
+- src = target[key]; // source value
+- val = obj[key]; // new value
++ src = safeGetProperty(target, key); // source value
++ val = safeGetProperty(obj, key); // new value
+
+ // recursion prevention
+ if (val === target) {
+@@ -142,3 +142,7 @@
+
+ return target;
+ }
++
++function safeGetProperty(object, property) {
++ return property === '__proto__' ? undefined : object[property];
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4b4ad1b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+cve-2018-3750.diff
diff --git a/debian/rules b/debian/rules
index de57af0..20809a4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,11 +5,4 @@
#export DH_VERBOSE=1
%:
- dh $@
-
-#override_dh_auto_build:
-
-#override_dh_auto_test:
-
-
-
+ dh $@ --with nodejs
diff --git a/debian/tests/control b/debian/tests/control
deleted file mode 100644
index 2cdc011..0000000
--- a/debian/tests/control
+++ /dev/null
@@ -1,2 +0,0 @@
-Tests: require
-Depends: node-deep-extend
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
new file mode 100644
index 0000000..91500a6
--- /dev/null
+++ b/debian/tests/pkg-js/test
@@ -0,0 +1 @@
+mocha --timeout 10000
diff --git a/debian/tests/require b/debian/tests/require
deleted file mode 100644
index 3711396..0000000
--- a/debian/tests/require
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-nodejs -e "require('deep-extend');"
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..4be43f6
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/unclechu/node-deep-extend/issues
+Contact: https://github.com/unclechu/node-deep-extend/issues
+Name: node-deep-extend
+Repository: https://github.com/unclechu/node-deep-extend.git
+Repository-Browse: https://github.com/unclechu/node-deep-extend
--- End Message ---