Bug#1019915: bullseye-pu: package dojo/1.15.4+dfsg1-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1019915: bullseye-pu: package dojo/1.15.4+dfsg1-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Fri, 16 Sep 2022 10:46:13 +0200
Message-id: <[🔎] 166331797369.2183846.1425700558858064497.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1019915@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
dojo is vulnerable to prototype pollution (#1014785, CVE-2021-23450)

[ Impact ]
Medium vulnerability

[ Tests ]
No new test here

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index bf5c2b47..b861b5a0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dojo (1.15.4+dfsg1-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #1014785, CVE-2021-23450)
+
+ -- Yadd <yadd@debian.org>  Fri, 16 Sep 2022 10:42:57 +0200
+
 dojo (1.15.4+dfsg1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-23450.patch b/debian/patches/CVE-2021-23450.patch
new file mode 100644
index 00000000..fe66d089
--- /dev/null
+++ b/debian/patches/CVE-2021-23450.patch
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2021-23450, prototype pollution
+Author: Sanchit Chadha
+Bug-Debian: https://bugs.debian.org/970501
+Origin: upstream, https://github.com/dojo/dojo/commit/b7b8b279
+Bug-Debian: https://bugs.debian.org/1014785
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-09-16
+
+--- a/dojo/_base/lang.js
++++ b/dojo/_base/lang.js
+@@ -31,6 +31,10 @@
+ 			try{
+ 				for(var i = 0; i < parts.length; i++){
+ 					var p = parts[i];
++					// Fix for prototype pollution CVE-2021-23450
++					if (p === '__proto__' || p === 'constructor') {
++						return;
++					}
+ 					if(!(p in context)){
+ 						if(create){
+ 							context[p] = {};
diff --git a/debian/patches/series b/debian/patches/series
index c75b2155..0436f059 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0002-Do-notrun-test-suite-in-build.patch
 0003-Disable-flash-storage.patch
 0004-Fix-shrinksafe-tests-with-new-rhino.patch
+CVE-2021-23450.patch

Reply to:

Prev by Date: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
Next by Date: Bug#961654: buster-pu: package bzip2/1.0.6-9.2~deb10u1
Previous by thread: Bug#1019876: marked as done (nmu: atlas-ecmwf_0.30.0-3)
Next by thread: Status of Debian Installer Bookworm Alpha 1: 2 blockers
Index(es):
- Date
- Thread