Bug#1004384: bullseye-pu: package node-cached-path-relative/1.0.2-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-cached-path-relative is vulnerable to prototype pollution
(CVE-2021-23518)
[ Impact ]
Medium vulnerabilty
[ Tests ]
Test passed, no new check
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9f42f71..fb79e59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-cached-path-relative (1.0.2-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2021-23518)
+
+ -- Yadd <yadd@debian.org> Wed, 26 Jan 2022 14:36:03 +0100
+
node-cached-path-relative (1.0.2-1) unstable; urgency=medium
* New upstream version: fix prototype pollution vulnerability
diff --git a/debian/patches/CVE-2021-23518.patch b/debian/patches/CVE-2021-23518.patch
new file mode 100644
index 0000000..99705bb
--- /dev/null
+++ b/debian/patches/CVE-2021-23518.patch
@@ -0,0 +1,28 @@
+Description: fix prototype pollution
+Origin: upstream, https://github.com/ashaffer/cached-path-relative/commit/40c73bf70
+Author: Andrew <darawk@gmail.com>
+Bug: https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-01-26
+
+--- a/lib/index.js
++++ b/lib/index.js
+@@ -27,7 +27,7 @@
+ // to invalidate the cache
+ var cwd = process.cwd()
+ if (cwd !== lastCwd) {
+- cache = {}
++ cache = Object.create(null)
+ lastCwd = cwd
+ }
+
+@@ -35,7 +35,7 @@
+
+ var result = relative.call(path, from, to)
+
+- cache[from] = cache[from] || {}
++ cache[from] = cache[from] || Object.create(null)
+ cache[from][to] = result
+
+ return result
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..625c955
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23518.patch
Reply to: