Bug#976392: buster-pu: package node-y18n/3.2.1-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-y18n is vulnerable to prototype pollution
[ Impact ]
Little security risk
[ Tests ]
Test added in autopkgtest, and verified: fails without patch, succeeds
with patch
[ Risks ]
Low risk, upstream test + CVE test shows that all works
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a little change in variable initialization
Note: package already uploaded
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 72257ee..d969c10 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-y18n (3.2.1-2+deb10u1) buster; urgency=medium
+
+ * Team upload.
+ * Fix prototype pollution (Closes: #976390, CVE-2020-7774)
+
+ -- Xavier Guimard <yadd@debian.org> Fri, 04 Dec 2020 15:41:08 +0100
+
node-y18n (3.2.1-2) unstable; urgency=medium
* Enable tests
diff --git a/debian/patches/CVE-2020-7774.patch b/debian/patches/CVE-2020-7774.patch
new file mode 100644
index 0000000..2e292c1
--- /dev/null
+++ b/debian/patches/CVE-2020-7774.patch
@@ -0,0 +1,20 @@
+Description: fix for CVE-2020-7774
+Author: bcoe <bencoe@google.com>
+Origin: upstream, bcoe <bencoe@google.com>
+Bug: https://github.com/yargs/y18n/issues/96
+Bug-Debian: https://bugs.debian.org/976390
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-12-04
+
+--- a/index.js
++++ b/index.js
+@@ -11,7 +11,7 @@
+ this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+
+ // internal stuff.
+- this.cache = {}
++ this.cache = Object.create(null)
+ this.writeQueue = []
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7d69b10
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7774.patch
diff --git a/debian/tests/CVE-2020-7774-check b/debian/tests/CVE-2020-7774-check
new file mode 100755
index 0000000..8b5ff40
--- /dev/null
+++ b/debian/tests/CVE-2020-7774-check
@@ -0,0 +1,14 @@
+#!/usr/bin/nodejs
+
+const y18n = require('y18n')();
+//var polluted;
+y18n.setLocale('__proto__');
+y18n.updateLocale({polluted: true});
+try {
+if(polluted) console.error('Vulnerable to CVE-2020-7774');
+process.exit(polluted);
+}
+catch(e) {
+console.log('Not vulnerable to CVE-2020-7774');
+process.exit(0);
+}
diff --git a/debian/tests/control b/debian/tests/control
index 57de701..b19a2bc 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,4 +1,4 @@
-Tests: require
+Tests: require, CVE-2020-7774-check
Depends: node-y18n
Test-Command: mocha -R spec
Reply to: