--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package node-json-schema/0.3.0+_7.0.6-1+deb11u1
- From: Yadd <yadd@debian.org>
- Date: Mon, 22 Nov 2021 10:50:20 +0100
- Message-id: <163757462019.906113.6253931075890567587.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-json-schema is vulnerable to prototype pollution
[ Impact ]
Medium vulnerability
[ Tests ]
Sadly test wre not enable for this package
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just an additional check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index a50007b..bad7788 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-json-schema (0.3.0+~7.0.6-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #999765, CVE-2021-3918)
+
+ -- Yadd <yadd@debian.org> Mon, 22 Nov 2021 10:40:35 +0100
+
node-json-schema (0.3.0+~7.0.6-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/CVE-2021-3918.patch b/debian/patches/CVE-2021-3918.patch
new file mode 100644
index 0000000..9cba185
--- /dev/null
+++ b/debian/patches/CVE-2021-3918.patch
@@ -0,0 +1,53 @@
+Description: fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
+ Don't allow __proto__ property to be used for schema default/coerce, fixes
+Author: Kris Zyp <kriszyp@gmail.com>
+Origin: upstream, https://github.com/kriszyp/json-schema/commit/22f14611
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-3918
+Bug-Debian: https://bugs.debian.org/999765
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-11-22
+
+--- a/lib/validate.js
++++ b/lib/validate.js
+@@ -207,7 +207,7 @@
+ }
+
+ for(var i in objTypeDef){
+- if(objTypeDef.hasOwnProperty(i)){
++ if(objTypeDef.hasOwnProperty(i) && i != '__proto__'){
+ var value = instance[i];
+ // skip _not_ specified properties
+ if (value === undefined && options.existingOnly) continue;
+--- a/test/tests.js
++++ b/test/tests.js
+@@ -92,4 +92,29 @@
+ 'Json-Ref self-validates': assertSelfValidates('json-ref'),
+ 'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
+ 'Json-Ref/Core': assertValidates('json-ref', 'schema')
++ prototypePollution: function() {
++ console.log('testing')
++ const instance = JSON.parse(`
++ {
++ "$schema":{
++ "type": "object",
++ "properties":{
++ "__proto__": {
++ "type": "object",
++ "properties":{
++ "polluted": {
++ "type": "string",
++ "default": "polluted"
++ }
++ }
++ }
++ },
++ "__proto__": {}
++ }
++ }`);
++
++ const a = {};
++ validate(instance);
++ assert.equal(a.polluted, undefined);
++ }
+ }).export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..082cdc9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-3918.patch
--- End Message ---