--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-xmldom is vulnerable to prototype pollution
[ Impact ]
Medium security issue
[ Tests ]
No new test, test passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add checks to avoid prototype pollution
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 51d769b..d16e01b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #1021618, CVE-2022-37616)
+
+ -- Yadd <yadd@debian.org> Wed, 12 Oct 2022 10:07:56 +0200
+
node-xmldom (0.1.27+ds-1) unstable; urgency=low
* Initial release (Closes: #902311). Repacked from github
diff --git a/debian/patches/CVE-2022-37616.patch b/debian/patches/CVE-2022-37616.patch
new file mode 100644
index 0000000..a591260
--- /dev/null
+++ b/debian/patches/CVE-2022-37616.patch
@@ -0,0 +1,80 @@
+Description: Avoid iterating over prototype properties
+Author: Christian Bewernitz <coder@karfau.de>
+Origin: upstream, https://github.com/xmldom/xmldom/commit/7c0d4b7f
+Bug: https://github.com/xmldom/xmldom/issues/436
+Bug-Debian: https://bugs.debian.org/1021618
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-10-12
+
+--- a/dom.js
++++ b/dom.js
+@@ -7,7 +7,7 @@
+
+ function copy(src,dest){
+ for(var p in src){
+- dest[p] = src[p];
++ if (Object.prototype.hasOwnProperty.call(src, p)) dest[p] = src[p];
+ }
+ }
+ /**
+@@ -377,7 +377,7 @@
+ //console.dir(map)
+ if(map){
+ for(var n in map){
+- if(map[n] == namespaceURI){
++ if(Object.prototype.hasOwnProperty.call(map, n) && map[n] == namespaceURI){
+ return n;
+ }
+ }
+@@ -393,7 +393,7 @@
+ var map = el._nsMap;
+ //console.dir(map)
+ if(map){
+- if(prefix in map){
++ if(Object.prototype.hasOwnProperty.call(map, prefix)){
+ return map[prefix] ;
+ }
+ }
+@@ -1143,12 +1143,14 @@
+ function cloneNode(doc,node,deep){
+ var node2 = new node.constructor();
+ for(var n in node){
++ if (Object.prototype.hasOwnProperty.call(node, n)) {
+ var v = node[n];
+ if(typeof v != 'object' ){
+ if(v != node2[n]){
+ node2[n] = v;
+ }
+ }
++ }
+ }
+ if(node.childNodes){
+ node2.childNodes = new NodeList();
+--- a/sax.js
++++ b/sax.js
+@@ -122,6 +122,7 @@
+ domBuilder.endElement(config.uri,config.localName,tagName);
+ if(localNSMap){
+ for(var prefix in localNSMap){
++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix))
+ domBuilder.endPrefixMapping(prefix) ;
+ }
+ }
+@@ -450,6 +451,7 @@
+ domBuilder.endElement(ns,localName,tagName);
+ if(localNSMap){
+ for(prefix in localNSMap){
++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix))
+ domBuilder.endPrefixMapping(prefix)
+ }
+ }
+@@ -497,7 +499,7 @@
+ //}
+ }
+ function _copy(source,target){
+- for(var n in source){target[n] = source[n]}
++ for(var n in source){if (Object.prototype.hasOwnProperty.call(source, n)) target[n] = source[n]}
+ }
+ function parseDCC(source,start,domBuilder,errorHandler){//sure start with '<!'
+ var next= source.charAt(start+2)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..8f56e74
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-37616.patch
--- End Message ---
--- Begin Message ---
On Wed, 2022-10-12 at 18:38 +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Oct 12, 2022 at 10:12:09AM +0200, Yadd wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: buster
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> >
> > [ Reason ]
> > node-xmldom is vulnerable to prototype pollution
> >
[...]
> The last buster point release has happened. But this update could go
> via a DLA. I suggest to contact the LTS team (cc'ing the list).
>
and therefore closing the release.d.o bug.
Regards,
Adam
--- End Message ---