Bug#996623: bullseye-pu: package node-getobject/0.1.0-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Another prototype pollution (CVE-2020-28282)
[ Impact ]
Low sucurity issue
[ Tests ]
Sadly no test
[ Risks ]
No risk (patch is trivial)
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
New check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 52c376a..2f4cbe9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-getobject (0.1.0-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2020-28282)
+
+ -- Yadd <yadd@debian.org> Sat, 16 Oct 2021 13:57:48 +0200
+
node-getobject (0.1.0-2) unstable; urgency=medium
* Fix Vcs-Git url
diff --git a/debian/patches/CVE-2020-28282.patch b/debian/patches/CVE-2020-28282.patch
new file mode 100644
index 0000000..9fb7cc9
--- /dev/null
+++ b/debian/patches/CVE-2020-28282.patch
@@ -0,0 +1,20 @@
+Description: Do not allow setting of __proto__
+Author: Vlad Filippov <vlad.filippov@gmail.com>
+Bug: https://security-tracker.debian.org/tracker/CVE-2020-28282
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-10-16
+
+--- a/lib/getobject.js
++++ b/lib/getobject.js
+@@ -41,6 +41,10 @@
+ // as we go.
+ getobject.set = function(obj, parts, value) {
+ parts = getParts(parts);
++ if (parts.includes('__proto__')) {
++ // do not allow setting of __proto__. See CVE-2020-28282.
++ return;
++ }
+
+ var prop = parts.pop();
+ obj = getobject.get(obj, parts, true);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..b74a7fb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-28282.patch
Reply to: