Bug#953763: buster-pu: package node-minimist/1.2.0-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
node-minimist is vulnerable to prototype pollution. I fixed this using
whole 1.2.0-to-1.2.5 diff (very little) since only prototype related
issues have been fixed.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 8406b1a..327fcb5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-minimist (1.2.0-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #953762, CVE-2020-7598)
+
+ -- Xavier Guimard <yadd@debian.org> Fri, 13 Mar 2020 07:18:52 +0100
+
node-minimist (1.2.0-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/patches/CVE-2020-7598.diff b/debian/patches/CVE-2020-7598.diff
new file mode 100644
index 0000000..6ec3bb8
--- /dev/null
+++ b/debian/patches/CVE-2020-7598.diff
@@ -0,0 +1,43 @@
+Description: fix for CVE-2020-7598 (prototype pollution)
+ Import whole 1.2.5 changes
+Author: Xavier Guimard
+Bug: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+Bug-Debian: https://bugs.debian.org/953762
+Forwarded: not-needed
+Last-Update: 2020-03-13
+
+--- a/index.js
++++ b/index.js
+@@ -68,12 +68,21 @@
+
+ function setKey (obj, keys, value) {
+ var o = obj;
+- keys.slice(0,-1).forEach(function (key) {
++ for (var i = 0; i < keys.length-1; i++) {
++ var key = keys[i];
++ if (key === '__proto__') return;
+ if (o[key] === undefined) o[key] = {};
++ if (o[key] === Object.prototype || o[key] === Number.prototype
++ || o[key] === String.prototype) o[key] = {};
++ if (o[key] === Array.prototype) o[key] = [];
+ o = o[key];
+- });
++ }
+
+ var key = keys[keys.length - 1];
++ if (key === '__proto__') return;
++ if (o === Object.prototype || o === Number.prototype
++ || o === String.prototype) o = {};
++ if (o === Array.prototype) o = [];
+ if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
+ o[key] = value;
+ }
+@@ -171,7 +180,7 @@
+ setArg(key, args[i+1], arg);
+ i++;
+ }
+- else if (args[i+1] && /true|false/.test(args[i+1])) {
++ else if (args[i+1] && /^(true|false)$/.test(args[i+1])) {
+ setArg(key, args[i+1] === 'true', arg);
+ i++;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 81a5e8e..01db0e3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
nodejs.patch
+CVE-2020-7598.diff
Reply to: