Bug#1034665: marked as done (bullseye-pu: package node-xml2js/0.2.8-1+deb11u1)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1034665: marked as done (bullseye-pu: package node-xml2js/0.2.8-1+deb11u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 10 Feb 2024 13:06:20 +0000
Message-id: <[🔎] handler.1034665.D1034665.1707570180676616.ackdone@bugs.debian.org>
Reply-to: 1034665@bugs.debian.org
References: <E1rYn0Q-002xoZ-Uk@coccia.debian.org> <168206261473.1440509.10468618033690985377.reportbug@debian007.xnr.fr>

Your message dated Sat, 10 Feb 2024 13:02:54 +0000
with message-id <E1rYn0Q-002xoZ-Uk@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1034665,
regarding bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034665: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034665
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Fri, 21 Apr 2023 11:36:54 +0400
Message-id: <168206261473.1440509.10468618033690985377.reportbug@debian007.xnr.fr>

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-xml2js@packages.debian.org
Control: affects -1 + src:node-xml2js

[ Reason ]
node-xml2js version 0.4.23 allows an external attacker to edit or add new
properties to an object (#1034148, CVE-2023-0842)

[ Impact ]
Medium security issue

[ Tests ]
Sadly test are not enabled in Bullseye

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace {} by Object.create(null)

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 628f69a..106d13b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <yadd@debian.org>  Fri, 21 Apr 2023 11:33:31 +0400
+
 node-xml2js (0.2.8-1) unstable; urgency=low
 
   * Upstream update
diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 0000000..cd03e08
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,46 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby <james@coggle.it>
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-04-21
+
+--- a/src/xml2js.coffee
++++ b/src/xml2js.coffee
+@@ -105,12 +105,12 @@
+     charkey = @options.charkey
+ 
+     @saxParser.onopentag = (node) =>
+-      obj = {}
++      obj = Object.create(null)
+       obj[charkey] = ""
+       unless @options.ignoreAttrs
+         for own key of node.attributes
+           if attrkey not of obj and not @options.mergeAttrs
+-            obj[attrkey] = {}
++            obj[attrkey] = Object.create(null)
+           if @options.mergeAttrs
+             obj[key] = node.attributes[key]
+           else
+@@ -158,7 +158,7 @@
+ 
+       # put children into <childkey> property and unfold chars if necessary
+       if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
+-        node = {}
++        node = Object.create(null)
+         # separate attributes
+         if @options.attrkey of obj
+           node[@options.attrkey] = obj[@options.attrkey]
+@@ -193,7 +193,7 @@
+         if @options.explicitRoot
+           # avoid circular references
+           old = obj
+-          obj = {}
++          obj = Object.create(null)
+           obj[nodeName] = old
+ 
+         @resultObject = obj
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6b5589b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-0842.patch

--- End Message ---

--- Begin Message ---

To: 1034665-done@bugs.debian.org

Subject: Released with 11.9

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 10 Feb 2024 13:02:54 +0000

Message-id: <E1rYn0Q-002xoZ-Uk@coccia.debian.org>
Version: 11.9

The upload requested in this bug has been released as part of 11.9.
--- End Message ---

Reply to:

Prev by Date: Bug#1025789: marked as done (bullseye-pu: wolfssl/4.6.0+p1-0+deb11u2)
Next by Date: Bug#1025708: marked as done (bullseye-pu: package debootstrap/1.0.123+deb11u2)
Previous by thread: Bug#1025789: marked as done (bullseye-pu: wolfssl/4.6.0+p1-0+deb11u2)
Next by thread: Bug#1025708: marked as done (bullseye-pu: package debootstrap/1.0.123+deb11u2)
Index(es):
- Date
- Thread