--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package node-serialize-javascript/6.0.0-2+deb12u1
- From: Yadd <yadd@debian.org>
- Date: Wed, 09 Apr 2025 13:59:03 +0200
- Message-id: <174419994311.1843763.18322078719824765650.reportbug@yadd-217.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-serialize-javascript@packages.debian.org, yadd@debian.org
Control: affects -1 + src:node-serialize-javascript
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
A flaw was found in npm-serialize-javascript. The vulnerability occurs
because the serialize-javascript module does not properly sanitize
certain inputs, such as regex or other JavaScript object types, allowing
an attacker to inject malicious code. This code could be executed when
deserialized by a web browser, causing Cross-site scripting (XSS) attacks.
This issue is critical in environments where serialized data is sent to web
clients, potentially compromising the security of the website or web
application using this package (#1095767, CVE-2024-11831).
[ Impact ]
Medium security issue
[ Tests ]
Patch contains new tests.
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better check of remote parameters
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index c0b369d..2a488d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-serialize-javascript (6.0.0-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Serialize URL string contents to prevent XSS
+ (Closes: #1095767, CVE-2024-11831)
+
+ -- Yadd <yadd@debian.org> Wed, 09 Apr 2025 13:54:59 +0200
+
node-serialize-javascript (6.0.0-2) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/patches/CVE-2024-11831.patch b/debian/patches/CVE-2024-11831.patch
new file mode 100644
index 0000000..481529f
--- /dev/null
+++ b/debian/patches/CVE-2024-11831.patch
@@ -0,0 +1,43 @@
+Description: serialize URL string contents to prevent XSS
+Author: Ryan Delaney <ryan@reverecre.com>
+Origin: upstream, https://github.com/yahoo/serialize-javascript/commit/f27d65d3
+Bug: https://github.com/yahoo/serialize-javascript/pull/173
+Bug-Debian: https://bugs.debian.org/1095767
+Forwarded: not-needed
+Applied-Upstream: 6.0.2, commit:f27d65d3
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2025-04-09
+
+--- a/index.js
++++ b/index.js
+@@ -258,7 +258,7 @@
+ }
+
+ if (type === 'L') {
+- return "new URL(\"" + urls[valueIndex].toString() + "\")";
++ return "new URL(" + serialize(urls[valueIndex].toString(), options) + ")";
+ }
+
+ var fn = functions[valueIndex];
+--- a/test/unit/serialize.js
++++ b/test/unit/serialize.js
+@@ -455,8 +455,8 @@
+ describe('URL', function () {
+ it('should serialize URL', function () {
+ var u = new URL('https://x.com/')
+- expect(serialize(u)).to.equal('new URL("https://x.com/";)');
+- expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https://x.com/";)]}');
++ expect(serialize(u)).to.equal('new URL("https:\\u002F\\u002Fx.com\\u002F")');
++ expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https:\\u002F\\u002Fx.com\\u002F")]}');
+ });
+
+ it('should deserialize URL', function () {
+@@ -471,6 +471,8 @@
+ expect(serialize('</script>')).to.equal('"\\u003C\\u002Fscript\\u003E"');
+ expect(JSON.parse(serialize('</script>'))).to.equal('</script>');
+ expect(eval(serialize('</script>'))).to.equal('</script>');
++ expect(serialize(new URL('x:</script>'))).to.equal('new URL("x:\\u003C\\u002Fscript\\u003E")');
++ expect(eval(serialize(new URL('x:</script>'))).href).to.equal('x:</script>');
+ });
+ });
+
diff --git a/debian/patches/series b/debian/patches/series
index dc84184..d36ddb9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
2001_privacy.patch
+CVE-2024-11831.patch
--- End Message ---