Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1

[Yadd <yadd@debian.org>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-xmldom is vulnerable to prototype pollution

[ Impact ]
Medium security issue

[ Tests ]
No new test, test passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Add checks to avoid prototype pollution

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 51d769b..d16e01b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #1021618, CVE-2022-37616)
+
+ -- Yadd <yadd@debian.org>  Wed, 12 Oct 2022 10:07:56 +0200
+
 node-xmldom (0.1.27+ds-1) unstable; urgency=low
 
   * Initial release (Closes: #902311). Repacked from github
diff --git a/debian/patches/CVE-2022-37616.patch b/debian/patches/CVE-2022-37616.patch
new file mode 100644
index 0000000..a591260
--- /dev/null
+++ b/debian/patches/CVE-2022-37616.patch
@@ -0,0 +1,80 @@
+Description: Avoid iterating over prototype properties
+Author: Christian Bewernitz <coder@karfau.de>
+Origin: upstream, https://github.com/xmldom/xmldom/commit/7c0d4b7f
+Bug: https://github.com/xmldom/xmldom/issues/436
+Bug-Debian: https://bugs.debian.org/1021618
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-10-12
+
+--- a/dom.js
++++ b/dom.js
+@@ -7,7 +7,7 @@
+ 
+ function copy(src,dest){
+ 	for(var p in src){
+-		dest[p] = src[p];
++		if (Object.prototype.hasOwnProperty.call(src, p)) dest[p] = src[p];
+ 	}
+ }
+ /**
+@@ -377,7 +377,7 @@
+     		//console.dir(map)
+     		if(map){
+     			for(var n in map){
+-    				if(map[n] == namespaceURI){
++    				if(Object.prototype.hasOwnProperty.call(map, n) && map[n] == namespaceURI){
+     					return n;
+     				}
+     			}
+@@ -393,7 +393,7 @@
+     		var map = el._nsMap;
+     		//console.dir(map)
+     		if(map){
+-    			if(prefix in map){
++    			if(Object.prototype.hasOwnProperty.call(map, prefix)){
+     				return map[prefix] ;
+     			}
+     		}
+@@ -1143,12 +1143,14 @@
+ function cloneNode(doc,node,deep){
+ 	var node2 = new node.constructor();
+ 	for(var n in node){
++		if (Object.prototype.hasOwnProperty.call(node, n)) {
+ 		var v = node[n];
+ 		if(typeof v != 'object' ){
+ 			if(v != node2[n]){
+ 				node2[n] = v;
+ 			}
+ 		}
++		}
+ 	}
+ 	if(node.childNodes){
+ 		node2.childNodes = new NodeList();
+--- a/sax.js
++++ b/sax.js
+@@ -122,6 +122,7 @@
+ 		        	domBuilder.endElement(config.uri,config.localName,tagName);
+ 					if(localNSMap){
+ 						for(var prefix in localNSMap){
++							if (Object.prototype.hasOwnProperty.call(localNSMap, prefix))
+ 							domBuilder.endPrefixMapping(prefix) ;
+ 						}
+ 					}
+@@ -450,6 +451,7 @@
+ 		domBuilder.endElement(ns,localName,tagName);
+ 		if(localNSMap){
+ 			for(prefix in localNSMap){
++				if (Object.prototype.hasOwnProperty.call(localNSMap, prefix))
+ 				domBuilder.endPrefixMapping(prefix) 
+ 			}
+ 		}
+@@ -497,7 +499,7 @@
+ 	//} 
+ }
+ function _copy(source,target){
+-	for(var n in source){target[n] = source[n]}
++	for(var n in source){if (Object.prototype.hasOwnProperty.call(source, n)) target[n] = source[n]}
+ }
+ function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!'
+ 	var next= source.charAt(start+2)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..8f56e74
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-37616.patch