Bug#941227: [Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1

To: 941227@bugs.debian.org
Subject: Bug#941227: [Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
From: Xavier <yadd@debian.org>
Date: Thu, 26 Sep 2019 20:40:37 +0200
Message-id: <[🔎] 156b382f-6430-38fc-0e27-8167ea428723@debian.org>
Reply-to: Xavier <yadd@debian.org>, 941227@bugs.debian.org
In-reply-to: <[🔎] 156952150103.4532.14535276348945603050.reportbug@deb007.xnr.fr>
References: <[🔎] 156952150103.4532.14535276348945603050.reportbug@deb007.xnr.fr> <[🔎] 156952150103.4532.14535276348945603050.reportbug@deb007.xnr.fr>

I forgot debdiff, sorry

Le 26/09/2019 à 20:11, Xavier Guimard a écrit :
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> node-set-value is vulnerable to prototype pollution (#941189,
> CVE-2019-10747). I imported and adapted upstream patch and added a test
> inspired from CVE report [1]. I think this could be safely added to next
> buster point release.
> 
> Cheers,
> Xavier
> 
> [1]: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
>

diff --git a/debian/changelog b/debian/changelog
index 49d174b..21101f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-set-value (0.4.0-1+deb10u1) buster; urgency=medium
+
+  * Fix prototype pollution (Closes: #941189, CVE-2019-10747)
+  * Add test for CVE-2019-10747
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 26 Sep 2019 07:27:54 +0200
+
 node-set-value (0.4.0-1) unstable; urgency=low
 
   * Initial release (Closes: #842255)
diff --git a/debian/patches/CVE-2019-10747.diff b/debian/patches/CVE-2019-10747.diff
new file mode 100644
index 0000000..04075f8
--- /dev/null
+++ b/debian/patches/CVE-2019-10747.diff
@@ -0,0 +1,50 @@
+Description: Fix prototype pollution
+ Test is inspired from bug source
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/set-value/commit/cb12f149
+Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
+Bug-Debian: https://bugs.debian.org/941189
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-09-26
+
+--- a/index.js
++++ b/index.js
+@@ -24,7 +24,7 @@
+     return obj;
+   }
+ 
+-  var segs = path.split('.');
++  var segs = path.split('.').filter(isValidKey);
+   var len = segs.length, i = -1;
+   var res = obj;
+   var last;
+@@ -59,3 +59,7 @@
+   }
+   return res;
+ };
++
++function isValidKey(key) {
++  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++}
+--- a/test.js
++++ b/test.js
+@@ -148,3 +148,18 @@
+     assert.deepEqual(o, { 'e.f': { 'g.h.i': { j: 1 } } });
+   });
+ });
++
++describe('CVE-2019-10747', function() {
++  it("shouldn't pollute prototype", function() {
++    var paths = [
++      'constructor.prototype.a0',
++      '__proto__.a1',
++    ];
++    for (const p of paths) {
++      set({}, p, true);
++    }
++    for (let i = 0; i < paths.length; i++) {
++      assert.equal(({})[`a${i}`], null);
++    }
++  });
++});
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ca81722
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-10747.diff

Reply to:

References:
- Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
  - From: Xavier Guimard <yadd@debian.org>

Prev by Date: Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
Next by Date: Bug#941237: transition: brltty
Previous by thread: Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
Next by thread: Bug#941237: transition: brltty
Index(es):
- Date
- Thread