--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u2
- From: Xavier Guimard <yadd@debian.org>
- Date: Wed, 11 Mar 2020 06:22:06 +0100
- Message-id: <158390412695.3589574.11992169629075511912.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
2 new vulnerabilities have been published for dojo: prototype
pollutions. I imported the 2 upstream fixes here.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index f2dfbd6c..d4aae875 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution in deepCopy method (Closes: #953585,
+ CVE-2020-5258)
+ * Fix Prototype Pollution in jqMix method (Closes: #953587, CVE-2020-5259)
+
+ -- Xavier Guimard <yadd@debian.org> Wed, 11 Mar 2020 06:18:23 +0100
+
dojo (1.14.2+dfsg1-1+deb10u1) buster; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-5258.diff b/debian/patches/CVE-2020-5258.diff
new file mode 100644
index 00000000..4aefd61d
--- /dev/null
+++ b/debian/patches/CVE-2020-5258.diff
@@ -0,0 +1,20 @@
+Description: fix Prototype Pollution
+Author: Nick Nisi
+Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1
+Bug: https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2
+Bug-Debian: https://bugs.debian.org/953585
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-03-11
+
+--- a/dojo/request/util.js
++++ b/dojo/request/util.js
+@@ -13,7 +13,7 @@
+ for (var name in source) {
+ var tval = target[name],
+ sval = source[name];
+- if (tval !== sval) {
++ if (name !== '__proto__' && tval !== sval) {
+ if (sval && typeof sval === 'object' && !(has('native-formdata') && sval instanceof FormData)) {
+ if (Object.prototype.toString.call(sval) === '[object Date]') { // use this date test to handle crossing frame boundaries
+ target[name] = new Date(sval);
diff --git a/debian/patches/CVE-2020-5259.diff b/debian/patches/CVE-2020-5259.diff
new file mode 100644
index 00000000..3d05ed7e
--- /dev/null
+++ b/debian/patches/CVE-2020-5259.diff
@@ -0,0 +1,20 @@
+Description: fix prototype pollution in jqMix method
+Author: Nick Nisi
+Origin: upstream, https://github.com/dojo/dojox/commit/c5901be1
+Bug: https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw
+Bug-Debian: https://bugs.debian.org/953587
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-03-11
+
+--- a/dojox/jq.js
++++ b/dojox/jq.js
+@@ -455,7 +455,7 @@
+ // inherited from Object.prototype. For example, if obj has a custom
+ // toString() method, don't overwrite it with the toString() method
+ // that props inherited from Object.prototype
+- if((tobj[x] === undefined || tobj[x] != props[x]) && props[x] !== undefined && obj != props[x]){
++ if(x !== '__proto__ ' && ((tobj[x] === undefined || tobj[x] != props[x])) && props[x] !== undefined && obj != props[x]){
+ if(dojo.isObject(obj[x]) && dojo.isObject(props[x])){
+ if(dojo.isArray(props[x])){
+ obj[x] = props[x];
diff --git a/debian/patches/series b/debian/patches/series
index b0f5ff11..d5b7db42 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
0002-Do-notrun-test-suite-in-build.patch
0003-Disable-flash-storage.patch
CVE-2019-10785.patch
+CVE-2020-5258.diff
+CVE-2020-5259.diff
--- End Message ---