Bug#954398: buster-pu: package node-dot/1.1.1-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
node-dot ≤ 1.1.2 is vulnerable to code execution after prototype
pollution. I imported upstream fix and wrote a basic test to verify that
CVE is really fixed.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 6b07063..9face10 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-dot (1.1.1-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Add CVE-2020-8141 test
+ * Prevent code execution after prototype pollution (Closes: CVE-2020-8141)
+
+ -- Xavier Guimard <yadd@debian.org> Sat, 21 Mar 2020 09:23:57 +0100
+
node-dot (1.1.1-1) unstable; urgency=low
* Initial release (Closes: #862235)
diff --git a/debian/patches/CVE-2020-8141.diff b/debian/patches/CVE-2020-8141.diff
new file mode 100644
index 0000000..f1ceb77
--- /dev/null
+++ b/debian/patches/CVE-2020-8141.diff
@@ -0,0 +1,21 @@
+Description: fix for CVE-2020-8141
+ prevent possibility of execution of the code injected via prototype pollution
+ when undefined is passed to compiled template function
+Author: Evgeny Poberezkin
+Origin: upstream, https://github.com/olado/doT/commit/2cf222683
+Bug: https://github.com/olado/doT/issues/291
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-03-21
+
+--- a/index.js
++++ b/index.js
+@@ -42,7 +42,7 @@
+ if (this.__destination[this.__destination.length-1] !== '/') this.__destination += '/';
+ this.__global = o.global || "window.render";
+ this.__rendermodule = o.rendermodule || {};
+- this.__settings = o.templateSettings ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
++ this.__settings = Object.prototype.hasOwnProperty.call(o,"templateSettings") ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
+ this.__includes = {};
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index a2a471b..4216fcb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
use-nodejs.patch
+CVE-2020-8141.diff
diff --git a/debian/rules b/debian/rules
index fd7ead0..7af6067 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,3 +11,7 @@
override_dh_auto_test:
mocha -R spec test/*.test.js
+ mkdir node_modules
+ ln -s .. node_modules/dot
+ sh -ex debian/tests/cve-2020-8141
+ rm -rf node_modules
diff --git a/debian/tests/control b/debian/tests/control
index ac27cb1..362b343 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -3,3 +3,6 @@ Depends: node-dot
Test-Command: mocha -R spec test/*.test.js
Depends: @, mocha
+
+Tests: cve-2020-8141
+Depends: @, nodejs
diff --git a/debian/tests/cve-2020-8141 b/debian/tests/cve-2020-8141
new file mode 100755
index 0000000..0a0b214
--- /dev/null
+++ b/debian/tests/cve-2020-8141
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+cd debian/tests
+if node ./cve-2020-8141.js | grep 25; then
+ echo "node-dot is vulnerable to CVE 2020-8141"
+ exit 1
+else
+ echo "node-dot seems patched"
+fi
diff --git a/debian/tests/cve-2020-8141.js b/debian/tests/cve-2020-8141.js
new file mode 100644
index 0000000..94f3639
--- /dev/null
+++ b/debian/tests/cve-2020-8141.js
@@ -0,0 +1,3 @@
+var doT = require("dot"); // prototype pollution attack vector
+Object.prototype.templateSettings = {varname:"a,b,c,d,x=console.log(25)"}; // benign looking template compilation + application
+var dots = require("dot").process({path: "./resources"}); dots.mytemplate();
diff --git a/debian/tests/resources/mytemplate.dot b/debian/tests/resources/mytemplate.dot
new file mode 100644
index 0000000..75e06f7
--- /dev/null
+++ b/debian/tests/resources/mytemplate.dot
@@ -0,0 +1 @@
+html <h1>Here is a sample template</h1>
Reply to: