Bug#1004384: bullseye-pu: package node-cached-path-relative/1.0.2-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1004384: bullseye-pu: package node-cached-path-relative/1.0.2-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Wed, 26 Jan 2022 15:02:23 +0100
Message-id: <[🔎] 164320574349.279336.2575851961556945082.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1004384@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-cached-path-relative is vulnerable to prototype pollution
(CVE-2021-23518)

[ Impact ]
Medium vulnerabilty

[ Tests ]
Test passed, no new check

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 9f42f71..fb79e59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-cached-path-relative (1.0.2-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2021-23518)
+
+ -- Yadd <yadd@debian.org>  Wed, 26 Jan 2022 14:36:03 +0100
+
 node-cached-path-relative (1.0.2-1) unstable; urgency=medium
 
   * New upstream version: fix prototype pollution vulnerability
diff --git a/debian/patches/CVE-2021-23518.patch b/debian/patches/CVE-2021-23518.patch
new file mode 100644
index 0000000..99705bb
--- /dev/null
+++ b/debian/patches/CVE-2021-23518.patch
@@ -0,0 +1,28 @@
+Description: fix prototype pollution
+Origin: upstream, https://github.com/ashaffer/cached-path-relative/commit/40c73bf70
+Author: Andrew <darawk@gmail.com>
+Bug: https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-01-26
+
+--- a/lib/index.js
++++ b/lib/index.js
+@@ -27,7 +27,7 @@
+   // to invalidate the cache
+   var cwd = process.cwd()
+   if (cwd !== lastCwd) {
+-    cache = {}
++    cache = Object.create(null)
+     lastCwd = cwd
+   }
+ 
+@@ -35,7 +35,7 @@
+ 
+   var result = relative.call(path, from, to)
+ 
+-  cache[from] = cache[from] || {}
++  cache[from] = cache[from] || Object.create(null)
+   cache[from][to] = result
+ 
+   return result
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..625c955
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23518.patch

Reply to:

Prev by Date: Processed: tagging 1001830
Next by Date: Bug#1004389: transition: botan
Previous by thread: Processed: tagging 1001830
Next by thread: Bug#1004389: transition: botan
Index(es):
- Date
- Thread