--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-jszip
[ Reason ]
node-jszip is vulnerable to a prototype pollution: rafting a new zip file
with filenames set to Object prototype values (e.g __proto__, toString,
etc) results in a returned object with a modified prototype instance.
[ Impact ]
Little security issue.
[ Tests ]
Sadly test are not launched for this package.
[ Risks ]
No risk, patch is trivial.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-jszip/3.5.0+dfsg-2
diff --git a/debian/changelog b/debian/changelog
index 7994aaf..bbfd736 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-jszip (3.5.0+dfsg-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Fix a null prototype object for this.files (Closes: CVE-2021-23413)
+
+ -- Yadd <yadd@debian.org> Mon, 26 Jul 2021 21:54:02 +0200
+
node-jszip (3.5.0+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-23413.patch b/debian/patches/CVE-2021-23413.patch
new file mode 100644
index 0000000..7f3e672
--- /dev/null
+++ b/debian/patches/CVE-2021-23413.patch
@@ -0,0 +1,43 @@
+Description: fix: Use a null prototype object for this.files
+Author: Michael Aquilina <michaelaquilina@gmail.com>
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-07-26
+
+--- a/lib/index.js
++++ b/lib/index.js
+@@ -19,7 +19,10 @@
+ // "folder/" : {...},
+ // "folder/data.txt" : {...}
+ // }
+- this.files = {};
++ // NOTE: we use a null prototype because we do not
++ // want filenames like "toString" coming from a zip file
++ // to overwrite methods and attributes in a normal Object.
++ this.files = Object.create(null);
+
+ this.comment = null;
+
+--- a/lib/object.js
++++ b/lib/object.js
+@@ -179,16 +179,16 @@
+ */
+ forEach: function(cb) {
+ var filename, relativePath, file;
++ /* jshint ignore:start */
++ // ignore warning about unwanted properties because this.files is a null prototype object
+ for (filename in this.files) {
+- if (!this.files.hasOwnProperty(filename)) {
+- continue;
+- }
+ file = this.files[filename];
+ relativePath = filename.slice(this.root.length, filename.length);
+ if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root
+ cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn...
+ }
+ }
++ /* jshint ignore:end */
+ },
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b0d53b4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23413.patch
diff --git a/debian/watch b/debian/watch
index 46895cc..4525548 100644
--- a/debian/watch
+++ b/debian/watch
@@ -4,4 +4,4 @@ repacksuffix=+dfsg,\
repack,compression=xz,\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-jszip-$1.tar.gz/ \
- https://github.com/Stuk/jszip/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/Stuk/jszip/tags .*/archive/.*/v?([\d\.]+).tar.gz
--- End Message ---