Bug#1023798: bullseye-pu: package node-loader-utils/2.0.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-loader-utils is vulnerable to prototype pollution (CVE-2022-37601)
[ Impact ]
Medium vulnerability
[ Tests ]
No new test
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace {} by Object.create(null)
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 7d05292..8f9f949 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2022-37601)
+
+ -- Yadd <yadd@debian.org> Thu, 10 Nov 2022 11:56:10 +0100
+
node-loader-utils (2.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch
new file mode 100644
index 0000000..12eaad6
--- /dev/null
+++ b/debian/patches/CVE-2022-37601.patch
@@ -0,0 +1,18 @@
+Description: fix prototype pollution
+Author: Mike Cebrian <michael.cebrian@gmail.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-11-10
+
+--- node-loader-utils-2.0.0.orig/lib/parseQuery.js
++++ node-loader-utils-2.0.0/lib/parseQuery.js
+@@ -26,7 +26,7 @@ function parseQuery(query) {
+ }
+
+ const queryArgs = query.split(/[,&]/g);
+- const result = {};
++ const result = Object.create(null);
+
+ queryArgs.forEach((arg) => {
+ const idx = arg.indexOf('=');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..c6bc49a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-37601.patch
Reply to: