Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
Control: tags -1 - moreinfo
On 7/25/23 21:02, Jonathan Wiltshire wrote:
Control: tag -1 moreinfo
On Fri, Apr 21, 2023 at 11:36:54AM +0400, Yadd wrote:
diff --git a/debian/changelog b/debian/changelog
index 628f69a..106d13b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <yadd@debian.org> Fri, 21 Apr 2023 11:33:31 +0400
+
node-xml2js (0.2.8-1) unstable; urgency=low
* Upstream update
bullseye has 0.2.8-1.1, please ensure you base the proposed debdiff off
that. Remove the moreinfo tag when you are ready for further review.
Thanks,
Hi,
here is the new debdiff
Best regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index fa373bf..22806aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1.1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <yadd@debian.org> Wed, 26 Jul 2023 08:27:13 +0400
+
node-xml2js (0.2.8-1.1) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 0000000..cd03e08
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,46 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby <james@coggle.it>
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-04-21
+
+--- a/src/xml2js.coffee
++++ b/src/xml2js.coffee
+@@ -105,12 +105,12 @@
+ charkey = @options.charkey
+
+ @saxParser.onopentag = (node) =>
+- obj = {}
++ obj = Object.create(null)
+ obj[charkey] = ""
+ unless @options.ignoreAttrs
+ for own key of node.attributes
+ if attrkey not of obj and not @options.mergeAttrs
+- obj[attrkey] = {}
++ obj[attrkey] = Object.create(null)
+ if @options.mergeAttrs
+ obj[key] = node.attributes[key]
+ else
+@@ -158,7 +158,7 @@
+
+ # put children into <childkey> property and unfold chars if necessary
+ if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
+- node = {}
++ node = Object.create(null)
+ # separate attributes
+ if @options.attrkey of obj
+ node[@options.attrkey] = obj[@options.attrkey]
+@@ -193,7 +193,7 @@
+ if @options.explicitRoot
+ # avoid circular references
+ old = obj
+- obj = {}
++ obj = Object.create(null)
+ obj[nodeName] = old
+
+ @resultObject = obj
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6b5589b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-0842.patch
Reply to: