Bug#927699: unblock: node-mixin-deep/1.1.3-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#927699: unblock: node-mixin-deep/1.1.3-3
From: Xavier Guimard <yadd@debian.org>
Date: Sun, 21 Apr 2019 15:39:25 +0200
Message-id: <[🔎] 155585396546.14351.3686571942167106489.reportbug@deb007.xnr.fr>
Reply-to: Xavier Guimard <yadd@debian.org>, 927699@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-mixin-deep

Hi all,

node-mixin-deep is vulnerable to a prototype pollution[1]. I fixed this
using upstream commit. Full changes:
  * Add upstream/metadata
  * Declare compliance with policy 4.3.0
  * Change section to javascript
  * Fix prototype pollution (Closes: #898315, CVE-2018-3719)
  * Switch tests to pkg-js-tools
  * Fix VCS fields
  * Fix debian/copyright

Main reverse-dependencies:
 - webpack
 - gulp
 - rollup & rollup plugins

Change on installed files is just a control to avoid prototype pollution
(see debian/patches/CVE-2018-3719.diff). So I think it is low risky to
upgrade node-mixin-deep.

Cheers,
Xavier

[1]: https://security-tracker.debian.org/tracker/CVE-2018-3719
     https://bugs.debian.org/898315

unblock node-mixin-deep/1.1.3-3

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index 2e47d2e..17cb287 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+node-mixin-deep (1.1.3-3) unstable; urgency=medium
+
+  * Team upload
+  * Back to debhelper 9 (Buster freeze)
+
+ -- Xavier Guimard <yadd@debian.org>  Sun, 21 Apr 2019 14:34:56 +0200
+
+node-mixin-deep (1.1.3-2) unstable; urgency=medium
+
+  * Team upload
+  * Add upstream/metadata
+  * Declare compliance with policy 4.3.0
+  * Change section to javascript
+  * Fix prototype pollution (Closes: #898315, CVE-2018-3719)
+  * Switch tests to pkg-js-tools
+  * Fix VCS fields
+  * Fix debian/copyright
+
+ -- Xavier Guimard <yadd@debian.org>  Sun, 21 Apr 2019 14:24:15 +0200
+
 node-mixin-deep (1.1.3-1) unstable; urgency=low
 
   * Initial release (Closes: #842329)
diff --git a/debian/control b/debian/control
index bf5ce1c..a305397 100644
--- a/debian/control
+++ b/debian/control
@@ -1,8 +1,9 @@
 Source: node-mixin-deep
-Section: web
+Section: javascript
 Priority: optional
 Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
 Uploaders: Sruthi Chandran <srud@disroot.org>
+Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper (>= 9)
  , dh-buildinfo
@@ -11,10 +12,11 @@ Build-Depends:
  , node-should
  , node-is-extendable (>= 0.1.1)
  , node-for-in (>= 0.1.4)
-Standards-Version: 3.9.8
+ , pkg-js-tools
+Standards-Version: 4.3.0
 Homepage: https://github.com/jonschlinkert/mixin-deep
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-mixin-deep.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-mixin-deep.git
+Vcs-Browser: https://salsa.debian.org/js-team/node-mixin-deep
+Vcs-Git: https://salsa.debian.org/js-team/node-mixin-deep.git
 
 Package: node-mixin-deep
 Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 1e90e8f..42f57f3 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,10 +1,10 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: mixin-deep
 Upstream-Contact: https://github.com/jonschlinkert/mixin-deep/issues
 Source: https://github.com/jonschlinkert/mixin-deep
 
 Files: *
-Copyright: 2016 Jon Schlinkert (https://github.com/jonschlinkert)
+Copyright: 2014-2015 Jon Schlinkert (https://github.com/jonschlinkert)
 License: Expat
 
 Files: debian/*
@@ -31,4 +31,3 @@ License: Expat
  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  SOFTWARE.
-
diff --git a/debian/patches/CVE-2018-3719.diff b/debian/patches/CVE-2018-3719.diff
new file mode 100644
index 0000000..868f5bb
--- /dev/null
+++ b/debian/patches/CVE-2018-3719.diff
@@ -0,0 +1,22 @@
+Description: Fix prototype pollution (CVE-2018-3719)
+Author: Jon Schlinkert <https://github.com/jonschlinkert>
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c
+Bug: https://www.npmjs.com/advisories/578
+Bug-Debian: https://bugs.debian.org/898315
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-04-21
+
+--- a/index.js
++++ b/index.js
+@@ -23,6 +23,10 @@
+  */
+ 
+ function copy(val, key) {
++  if (key === '__proto__') {
++    return;
++  }
++
+   var obj = this[key];
+   if (isObject(val) && isObject(obj)) {
+     mixinDeep(obj, val);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9b10403
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-3719.diff
diff --git a/debian/rules b/debian/rules
index 9eb6b18..20809a4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,11 +5,4 @@
 #export DH_VERBOSE=1
 
 %:
-	dh $@
-
-#override_dh_auto_build:
-
-override_dh_auto_test:
-	mocha -R spec
-
-
+	dh $@ --with nodejs
diff --git a/debian/tests/control b/debian/tests/control
deleted file mode 100644
index 588a506..0000000
--- a/debian/tests/control
+++ /dev/null
@@ -1,5 +0,0 @@
-Tests: require
-Depends: node-mixin-deep
-
-Test-Command: mocha -R spec
-Depends: @, @builddeps@
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
new file mode 100644
index 0000000..00882e2
--- /dev/null
+++ b/debian/tests/pkg-js/test
@@ -0,0 +1 @@
+mocha -R spec --timeout 10000
diff --git a/debian/tests/require b/debian/tests/require
deleted file mode 100644
index 02a037e..0000000
--- a/debian/tests/require
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-nodejs -e "require('mixin-deep');"
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..120af8f
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/jonschlinkert/mixin-deep/issues
+Contact: https://github.com/jonschlinkert/mixin-deep/issues
+Name: mixin-deep
+Repository: https://github.com/jonschlinkert/mixin-deep.git
+Repository-Browse: https://github.com/jonschlinkert/mixin-deep

Reply to:

Follow-Ups:
- Bug#927699: marked as done (unblock: node-mixin-deep/1.1.3-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#927699: unblock: node-mixin-deep/1.1.3-3
  - From: Xavier <yadd@debian.org>
- Processed: Re: Bug#927699: unblock: node-mixin-deep/1.1.3-3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#927699: marked as done (unblock: node-mixin-deep/1.1.3-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: unblock: binutils/2.31.1/16
Next by Date: Bug#927704: unblock: libpodofo/0.9.6+dfsg-5
Previous by thread: Processed: cernlib 20061220+dfsg3-4.3+deb9u2 flagged for acceptance
Next by thread: Bug#927699: marked as done (unblock: node-mixin-deep/1.1.3-3)
Index(es):
- Date
- Thread