Bug#953763: buster-pu: package node-minimist/1.2.0-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#953763: buster-pu: package node-minimist/1.2.0-1+deb10u1
From: Xavier Guimard <yadd@debian.org>
Date: Fri, 13 Mar 2020 07:23:08 +0100
Message-id: <[🔎] 158408058823.455983.17422510711084348023.reportbug@deb007.xnr.fr>
Reply-to: Xavier Guimard <yadd@debian.org>, 953763@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

node-minimist is vulnerable to prototype pollution. I fixed this using
whole 1.2.0-to-1.2.5 diff (very little) since only prototype related
issues have been fixed.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 8406b1a..327fcb5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-minimist (1.2.0-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #953762, CVE-2020-7598)
+
+ -- Xavier Guimard <yadd@debian.org>  Fri, 13 Mar 2020 07:18:52 +0100
+
 node-minimist (1.2.0-1) unstable; urgency=medium
 
   * New upstream release
diff --git a/debian/patches/CVE-2020-7598.diff b/debian/patches/CVE-2020-7598.diff
new file mode 100644
index 0000000..6ec3bb8
--- /dev/null
+++ b/debian/patches/CVE-2020-7598.diff
@@ -0,0 +1,43 @@
+Description: fix for CVE-2020-7598 (prototype pollution)
+ Import whole 1.2.5 changes
+Author: Xavier Guimard
+Bug: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+Bug-Debian: https://bugs.debian.org/953762
+Forwarded: not-needed
+Last-Update: 2020-03-13
+
+--- a/index.js
++++ b/index.js
+@@ -68,12 +68,21 @@
+ 
+     function setKey (obj, keys, value) {
+         var o = obj;
+-        keys.slice(0,-1).forEach(function (key) {
++        for (var i = 0; i < keys.length-1; i++) {
++            var key = keys[i];
++            if (key === '__proto__') return;
+             if (o[key] === undefined) o[key] = {};
++            if (o[key] === Object.prototype || o[key] === Number.prototype
++                || o[key] === String.prototype) o[key] = {};
++            if (o[key] === Array.prototype) o[key] = [];
+             o = o[key];
+-        });
++        }
+ 
+         var key = keys[keys.length - 1];
++        if (key === '__proto__') return;
++        if (o === Object.prototype || o === Number.prototype
++            || o === String.prototype) o = {};
++        if (o === Array.prototype) o = [];
+         if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
+             o[key] = value;
+         }
+@@ -171,7 +180,7 @@
+                     setArg(key, args[i+1], arg);
+                     i++;
+                 }
+-                else if (args[i+1] && /true|false/.test(args[i+1])) {
++                else if (args[i+1] && /^(true|false)$/.test(args[i+1])) {
+                     setArg(key, args[i+1] === 'true', arg);
+                     i++;
+                 }
diff --git a/debian/patches/series b/debian/patches/series
index 81a5e8e..01db0e3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 nodejs.patch
+CVE-2020-7598.diff

Reply to:

Prev by Date: Bug#953024: marked as done (transition: zita-convolver)
Next by Date: Bug#951499: transition: collada-dom
Previous by thread: Bug#953745: stretch-pu: package proftpd-dfsg/1.3.5b-4+deb9u5
Next by thread: Bug#948375: buster-pu: package ceph/12.2.12+dfsg-1
Index(es):
- Date
- Thread