Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-deep-extend Hi all, node-deep-extend is vulnerable to CVE-2018-3750 [1]. This vulnerability has been tagged as unimportant, however patch is simple and package is outdated (VCS fields, bad section, bad copyright years) and upstream tests were not enabled. I fixed this in version 0.4.1-2. Here is the full changes: * Add patch to prevent Object prototype pollution (Closes: #926616, CVE-2018-3750) * Enable upstream tests using pkg-js-tools * Fix VCS fields * Fix debian/copyright years * Add upstream/metadata * Change section to javascript node-deep-extend has no build reverse dependencies. Reverse dependencies: node-rc node-registry-url & node-registry-auth-token node-package-json node-latest-version npm npm2deb node-pre-gyp node-sqlite3 node-mbtiles node-tilejson node-millstone node-zipfile node-millstone node-mapnik node-tilelive-bridge node-tilelive-vector node-tilelive-mapnik node-opencv Since patch seems to have no consequences on normal node-deep-extend usage, I think it is low risky to unblock node-deep-extend. Patch comes from https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703 (I just taked the useful part of it). Cheers, Xavier [1]: https://security-tracker.debian.org/tracker/CVE-2018-3750 unblock node-deep-extend/0.4.1-2 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (600, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 5b0e688..e4e0c2e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,18 @@ +node-deep-extend (0.4.1-2) unstable; urgency=medium + + * Team upload + * Add patch to prevent Object prototype pollution + (Closes: #926616, CVE-2018-3750) + * Enable upstream tests using pkg-js-tools + * Fix VCS fields + * Fix debian/copyright years + * Add upstream/metadata + * Change section to javascript + + -- Xavier Guimard <y...@debian.org> Mon, 08 Apr 2019 14:52:06 +0200 + node-deep-extend (0.4.1-1) unstable; urgency=medium - * Initial release + * Initial release -- Thorsten Alteholz <deb...@alteholz.de> Mon, 22 Feb 2016 18:16:21 +0100 - diff --git a/debian/control b/debian/control index 72892ea..4db1cb8 100644 --- a/debian/control +++ b/debian/control @@ -1,22 +1,24 @@ Source: node-deep-extend -Section: web -Priority: optional Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Uploaders: Thorsten Alteholz <deb...@alteholz.de> -Build-Depends: - debhelper (>= 9) - , dh-buildinfo - , nodejs -Standards-Version: 3.9.7 +Section: javascript +Testsuite: autopkgtest-pkg-nodejs +Priority: optional +Build-Depends: debhelper (>= 9), + dh-buildinfo, + mocha, + nodejs, + node-should, + pkg-js-tools +Standards-Version: 4.3.0 +Vcs-Browser: https://salsa.debian.org/js-team/node-deep-extend +Vcs-Git: https://salsa.debian.org/js-team/node-deep-extend.git Homepage: https://github.com/unclechu/node-deep-extend -Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-deep-extend.git -Vcs-Browser: https://anonscm.debian.org/gitweb/?p=pkg-javascript/node-deep-extend.git Package: node-deep-extend Architecture: all -Depends: - ${misc:Depends} - , nodejs +Depends: ${misc:Depends}, + nodejs Description: Recursive object extending This module does a recursive object extending. . diff --git a/debian/copyright b/debian/copyright index 28c1d90..a1f8541 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,14 +1,14 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: deep-extend Upstream-Contact: https://github.com/unclechu/node-deep-extend/issues Source: https://github.com/unclechu/node-deep-extend Files: * -Copyright: 2016 Viacheslav Lotsmanov <lotsmano...@gmail.com> +Copyright: 2013-2015, Viacheslav Lotsmanov <lotsmano...@gmail.com> License: Expat Files: debian/* -Copyright: 2016 Thorsten Alteholz <deb...@alteholz.de> +Copyright: 2016, Thorsten Alteholz <deb...@alteholz.de> License: Expat License: Expat @@ -31,4 +31,3 @@ License: Expat ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/debian/patches/cve-2018-3750.diff b/debian/patches/cve-2018-3750.diff new file mode 100644 index 0000000..429af12 --- /dev/null +++ b/debian/patches/cve-2018-3750.diff @@ -0,0 +1,29 @@ +Description: Fix for CVE-2018-3750 +Author: Xavier Guimard <y...@debian.org> +Origin: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703 +Bug: https://security-tracker.debian.org/tracker/CVE-2018-3750 +Bug-Debian: https://bugs.debian.org/926616 +Forwarded: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703 +Last-Update: 2019-04-08 + +--- a/lib/deep-extend.js ++++ b/lib/deep-extend.js +@@ -102,8 +102,8 @@ + } + + Object.keys(obj).forEach(function (key) { +- src = target[key]; // source value +- val = obj[key]; // new value ++ src = safeGetProperty(target, key); // source value ++ val = safeGetProperty(obj, key); // new value + + // recursion prevention + if (val === target) { +@@ -142,3 +142,7 @@ + + return target; + } ++ ++function safeGetProperty(object, property) { ++ return property === '__proto__' ? undefined : object[property]; ++} diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..4b4ad1b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +cve-2018-3750.diff diff --git a/debian/rules b/debian/rules index de57af0..20809a4 100755 --- a/debian/rules +++ b/debian/rules @@ -5,11 +5,4 @@ #export DH_VERBOSE=1 %: - dh $@ - -#override_dh_auto_build: - -#override_dh_auto_test: - - - + dh $@ --with nodejs diff --git a/debian/tests/control b/debian/tests/control deleted file mode 100644 index 2cdc011..0000000 --- a/debian/tests/control +++ /dev/null @@ -1,2 +0,0 @@ -Tests: require -Depends: node-deep-extend diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test new file mode 100644 index 0000000..91500a6 --- /dev/null +++ b/debian/tests/pkg-js/test @@ -0,0 +1 @@ +mocha --timeout 10000 diff --git a/debian/tests/require b/debian/tests/require deleted file mode 100644 index 3711396..0000000 --- a/debian/tests/require +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -set -e -nodejs -e "require('deep-extend');" diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..4be43f6 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/unclechu/node-deep-extend/issues +Contact: https://github.com/unclechu/node-deep-extend/issues +Name: node-deep-extend +Repository: https://github.com/unclechu/node-deep-extend.git +Repository-Browse: https://github.com/unclechu/node-deep-extend