--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-jszip/3.1.4+dfsg-1+deb10u1
- From: Yadd <yadd@debian.org>
- Date: Thu, 29 Jul 2021 13:07:18 +0200
- Message-id: <162755683839.1055144.13978508853156109387.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-jszip is vulnerable to a prototype pollution (CVE-2021-23413)
[ Impact ]
Medium security issue
[ Tests ]
Sadly no test for this package in Buster
[ Risks ]
Low risk: patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 365402c..3f1b365 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-jszip (3.1.4+dfsg-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix a null prototype object for this.files (Closes: CVE-2021-23413)
+
+ -- Yadd <yadd@debian.org> Thu, 29 Jul 2021 13:03:23 +0200
+
node-jszip (3.1.4+dfsg-1) unstable; urgency=low
* Initial release (Closes: #875843)
diff --git a/debian/patches/CVE-2021-23413.patch b/debian/patches/CVE-2021-23413.patch
new file mode 100644
index 0000000..7f3e672
--- /dev/null
+++ b/debian/patches/CVE-2021-23413.patch
@@ -0,0 +1,43 @@
+Description: fix: Use a null prototype object for this.files
+Author: Michael Aquilina <michaelaquilina@gmail.com>
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-07-26
+
+--- a/lib/index.js
++++ b/lib/index.js
+@@ -19,7 +19,10 @@
+ // "folder/" : {...},
+ // "folder/data.txt" : {...}
+ // }
+- this.files = {};
++ // NOTE: we use a null prototype because we do not
++ // want filenames like "toString" coming from a zip file
++ // to overwrite methods and attributes in a normal Object.
++ this.files = Object.create(null);
+
+ this.comment = null;
+
+--- a/lib/object.js
++++ b/lib/object.js
+@@ -179,16 +179,16 @@
+ */
+ forEach: function(cb) {
+ var filename, relativePath, file;
++ /* jshint ignore:start */
++ // ignore warning about unwanted properties because this.files is a null prototype object
+ for (filename in this.files) {
+- if (!this.files.hasOwnProperty(filename)) {
+- continue;
+- }
+ file = this.files[filename];
+ relativePath = filename.slice(this.root.length, filename.length);
+ if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root
+ cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn...
+ }
+ }
++ /* jshint ignore:end */
+ },
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b0d53b4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23413.patch
--- End Message ---