Bug#1021647: bullseye-pu: package node-xmldom/0.5.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-xmldom is vulnerable to prototype pollution
[ Impact ]
Medium security issue
[ Tests ]
No new test, curent tests passed with a snapshot update (`jest -u`)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add checks to avoid prototype pollution. Update also snapshots during
test (`jest -u`)
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 41abbd3..e486812 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xmldom (0.5.0-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #1021618, CVE-2022-37616)
+
+ -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 09:11:06 +0200
+
node-xmldom (0.5.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-37616.patch b/debian/patches/CVE-2022-37616.patch
new file mode 100644
index 0000000..4bf06b6
--- /dev/null
+++ b/debian/patches/CVE-2022-37616.patch
@@ -0,0 +1,80 @@
+Description: Avoid iterating over prototype properties
+Author: Christian Bewernitz <coder@karfau.de>
+Origin: upstream, https://github.com/xmldom/xmldom/commit/7c0d4b7f
+Bug: https://github.com/xmldom/xmldom/issues/436
+Bug-Debian: https://bugs.debian.org/1021618
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-10-12
+
+--- a/lib/dom.js
++++ b/lib/dom.js
+@@ -1,6 +1,8 @@
+ function copy(src,dest){
+ for(var p in src){
++ if (Object.prototype.hasOwnProperty.call(src, p)) {
+ dest[p] = src[p];
++ }
+ }
+ }
+ /**
+@@ -371,7 +373,7 @@
+ //console.dir(map)
+ if(map){
+ for(var n in map){
+- if(map[n] == namespaceURI){
++ if(Object.prototype.hasOwnProperty.call(map, n) && map[n] == namespaceURI){
+ return n;
+ }
+ }
+@@ -387,7 +389,7 @@
+ var map = el._nsMap;
+ //console.dir(map)
+ if(map){
+- if(prefix in map){
++ if(Object.prototype.hasOwnProperty.call(map, prefix)){
+ return map[prefix] ;
+ }
+ }
+@@ -1170,12 +1172,14 @@
+ function cloneNode(doc,node,deep){
+ var node2 = new node.constructor();
+ for(var n in node){
++ if (Object.prototype.hasOwnProperty.call(node, n)) {
+ var v = node[n];
+ if(typeof v != 'object' ){
+ if(v != node2[n]){
+ node2[n] = v;
+ }
+ }
++ }
+ }
+ if(node.childNodes){
+ node2.childNodes = new NodeList();
+--- a/lib/sax.js
++++ b/lib/sax.js
+@@ -137,6 +137,7 @@
+ domBuilder.endElement(config.uri,config.localName,tagName);
+ if(localNSMap){
+ for(var prefix in localNSMap){
++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix))
+ domBuilder.endPrefixMapping(prefix) ;
+ }
+ }
+@@ -475,6 +476,7 @@
+ domBuilder.endElement(ns,localName,tagName);
+ if(localNSMap){
+ for(prefix in localNSMap){
++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix))
+ domBuilder.endPrefixMapping(prefix)
+ }
+ }
+@@ -522,7 +524,7 @@
+ //}
+ }
+ function _copy(source,target){
+- for(var n in source){target[n] = source[n]}
++ for(var n in source){if (Object.prototype.hasOwnProperty.call(source, n)) target[n] = source[n]}
+ }
+ function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!'
+ var next= source.charAt(start+2)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..8f56e74
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-37616.patch
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
index 12fbf82..aab41f7 100644
--- a/debian/tests/pkg-js/test
+++ b/debian/tests/pkg-js/test
@@ -1,2 +1,2 @@
# Text that require xmltest are disabled: xmltest contains a non free file
-jest --ci --testRegex `find test/ -name '*.test.js'|grep -v -f debian/tests/test_exclude`
+jest -u --ci --testRegex `find test/ -name '*.test.js'|grep -v -f debian/tests/test_exclude`
Reply to: