Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5

To: Yadd <yadd@debian.org>, 1034664@bugs.debian.org
Subject: Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
From: Sebastian Ramacher <sramacher@debian.org>
Date: Sat, 22 Apr 2023 11:14:01 +0200
Message-id: <[🔎] ZEOlWfwJE0C135IO@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 1034664@bugs.debian.org
In-reply-to: <[🔎] 168206139286.1391227.1631434488596651311.reportbug@debian007.xnr.fr>
References: <[🔎] 168206139286.1391227.1631434488596651311.reportbug@debian007.xnr.fr> <[🔎] 168206139286.1391227.1631434488596651311.reportbug@debian007.xnr.fr>

Control: tags -1 moreinfo

On 2023-04-21 11:16:32 +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: node-xml2js@packages.debian.org
> Control: affects -1 + src:node-xml2js
> 
> Please unblock package node-xml2js

This upload is causing autopkgtest regressions:

node-xml2js (0.4.23+~cs15.4.0+dfsg-4 to 0.4.23+~cs15.4.0+dfsg-5)
    Maintainer: Debian Javascript Maintainers
    Migration status for node-xml2js (0.4.23+~cs15.4.0+dfsg-4 to 0.4.23+~cs15.4.0+dfsg-5): BLOCKED: Rejected/violates migration policy/introduces a regression
    Issues preventing migration:
    ∙ ∙ autopkgtest for node-node-rest-client/3.1.1-2: amd64: Regression ♻  (reference ♻), arm64: Regression ♻  (reference ♻), armel: Regression ♻  (reference ♻), armhf: Regression ♻  (reference ♻), i386: Regression ♻  (reference ♻), ppc64el: Regression ♻  (reference ♻), s390x: Regression ♻  (reference ♻)
    ∙ ∙ autopkgtest for node-xml2js/0.4.23+~cs15.4.0+dfsg-5: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, s390x: Pass
    ∙ ∙ blocked by freeze: is a key package (Follow the freeze policy when applying for an unblock)
    ∙ ∙ Too young, only 1 of 20 days old
    Additional info:
    ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-xml2js.html

Please let us know once htey have been fixed.

Cheers

> 
> [ Reason ]
> node-xml2js version 0.4.23 allows an external attacker to edit or add new
> properties to an object (#1034148, CVE-2023-0842)
> 
> [ Impact ]
> Medium security issue
> 
> [ Tests ]
> Test updates, passed
> 
> [ Risks ]
> Low risk, patch is trivial and tested
> 
> [ Checklist ]
>   [X] all changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in testing
> 
> Cheers,
> Yadd
> 
> unblock node-xml2js/0.4.23+~cs15.4.0+dfsg-5

> diff --git a/debian/changelog b/debian/changelog
> index 98492d7..9d9dac7 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,12 @@
> +node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium
> +
> +  * Team upload
> +  * Update standards version to 4.6.2, no changes needed.
> +  * Update nodejs dependency to nodejs:any
> +  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
> +
> + -- Yadd <yadd@debian.org>  Fri, 21 Apr 2023 11:11:13 +0400
> +
>  node-xml2js (0.4.23+~cs15.4.0+dfsg-4) unstable; urgency=medium
>  
>    * Team upload
> diff --git a/debian/control b/debian/control
> index dc4d6d0..406a88d 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -10,7 +10,7 @@ Build-Depends:
>   , node-sax <!nocheck>
>   , dh-sequence-nodejs
>   , node-diff
> -Standards-Version: 4.6.1
> +Standards-Version: 4.6.2
>  Vcs-Browser: https://salsa.debian.org/js-team/node-xml2js
>  Vcs-Git: https://salsa.debian.org/js-team/node-xml2js.git
>  Homepage: https://github.com/Leonidas-from-XIV/node-xml2js
> @@ -21,8 +21,8 @@ Architecture: all
>  Depends:
>   ${misc:Depends}
>   , node-sax
> - , nodejs
>   , node-diff
> + , nodejs:any
>  Provides: ${nodejs:Provides}
>  Description: simple XML to JavaScript object converter - Node.js module
>   xml2js parses XML using node-sax and converts it to a plain JavaScript
> diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch
> new file mode 100644
> index 0000000..3d80ed9
> --- /dev/null
> +++ b/debian/patches/CVE-2023-0842.patch
> @@ -0,0 +1,103 @@
> +Description: use Object.create(null) to create all parsed objects
> + (prevent prototype replacement)
> +Author: James Crosby <james@coggle.it>
> +Origin: upstream, commit:581b19a6
> +Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
> +Bug-Debian: https://bugs.debian.org/1034148
> +Forwarded: not-needed
> +Applied-Upstream: 0.5.0, commit:581b19a6
> +Reviewed-By: Yadd <yadd@debian.org>
> +Last-Update: 2023-04-21
> +
> +--- a/src/parser.coffee
> ++++ b/src/parser.coffee
> +@@ -103,12 +103,12 @@
> +     charkey = @options.charkey
> + 
> +     @saxParser.onopentag = (node) =>
> +-      obj = {}
> ++      obj = Object.create(null)
> +       obj[charkey] = ""
> +       unless @options.ignoreAttrs
> +         for own key of node.attributes
> +           if attrkey not of obj and not @options.mergeAttrs
> +-            obj[attrkey] = {}
> ++            obj[attrkey] = Object.create(null)
> +           newValue = if @options.attrValueProcessors then processItem(@options.attrValueProcessors, node.attributes[key], key) else node.attributes[key]
> +           processedKey = if @options.attrNameProcessors then processItem(@options.attrNameProcessors, key) else key
> +           if @options.mergeAttrs
> +@@ -161,7 +161,7 @@
> +       # put children into <childkey> property and unfold chars if necessary
> +       if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
> +         if not @options.preserveChildrenOrder
> +-          node = {}
> ++          node = Object.create(null)
> +           # separate attributes
> +           if @options.attrkey of obj
> +             node[@options.attrkey] = obj[@options.attrkey]
> +@@ -179,7 +179,7 @@
> +           # append current node onto parent's <childKey> array
> +           s[@options.childkey] = s[@options.childkey] or []
> +           # push a clone so that the node in the children array can receive the #name property while the original obj can do without it
> +-          objClone = {}
> ++          objClone = Object.create(null)
> +           for own key of obj
> +             objClone[key] = obj[key]
> +           s[@options.childkey].push objClone
> +@@ -196,7 +196,7 @@
> +         if @options.explicitRoot
> +           # avoid circular references
> +           old = obj
> +-          obj = {}
> ++          obj = Object.create(null)
> +           obj[nodeName] = old
> + 
> +         @resultObject = obj
> +--- a/test/parser.test.coffee
> ++++ b/test/parser.test.coffee
> +@@ -531,13 +531,13 @@
> + 
> +   'test single attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase], (r)->
> +     console.log 'Result object: ' + util.inspect r, false, 10
> +-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'), true
> +-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'), true)
> ++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAMELCASEATTR'), true
> ++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWERCASEATTR'), true)
> + 
> +   'test multiple attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase, nameCutoff], (r)->
> +     console.log 'Result object: ' + util.inspect r, false, 10
> +-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAME'), true
> +-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWE'), true)
> ++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAME'), true
> ++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWE'), true)
> + 
> +   'test single attrValueProcessors': skeleton(attrValueProcessors: [nameToUpperCase], (r)->
> +     console.log 'Result object: ' + util.inspect r, false, 10
> +@@ -559,21 +559,21 @@
> + 
> +   'test single tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase], (r)->
> +     console.log 'Result object: ' + util.inspect r, false, 10
> +-    equ r.hasOwnProperty('SAMPLE'), true
> +-    equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true)
> ++    equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
> ++    equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true)
> + 
> +   'test single tagNameProcessors in simple callback': (test) ->
> +     fs.readFile fileName, (err, data) ->
> +       xml2js.parseString data, tagNameProcessors: [nameToUpperCase], (err, r)->
> +         console.log 'Result object: ' + util.inspect r, false, 10
> +-        equ r.hasOwnProperty('SAMPLE'), true
> +-        equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true
> ++        equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
> ++        equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true
> +         test.finish()
> + 
> +   'test multiple tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase, nameCutoff], (r)->
> +     console.log 'Result object: ' + util.inspect r, false, 10
> +-    equ r.hasOwnProperty('SAMP'), true
> +-    equ r.SAMP.hasOwnProperty('TAGN'), true)
> ++    equ {}.hasOwnProperty.call(r, 'SAMP'), true
> ++    equ {}.hasOwnProperty.call(r.SAMP, 'TAGN'), true)
> + 
> +   'test attrValueProcessors key param': skeleton(attrValueProcessors: [replaceValueByName], (r)->
> +     console.log 'Result object: ' + util.inspect r, false, 10
> diff --git a/debian/patches/series b/debian/patches/series
> index 2840ff2..c9bf5bb 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1,2 +1,3 @@
>  fix-for-coffeescript-2.patch
>  drop-test-not-compatible-with-coffe-2.patch
> +CVE-2023-0842.patch


-- 
Sebastian Ramacher

Reply to:

Follow-Ups:
- Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
  - From: Yadd <yadd@debian.org>

References:
- Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
  - From: Yadd <yadd@debian.org>

Prev by Date: Processed: Re: Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
Next by Date: Bug#1034691: nmu: why3_1.5.1-1+b1 frama-c_20220511-manganese-3-10
Previous by thread: Processed: Re: Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
Next by thread: Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
Index(es):
- Date
- Thread