Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi all, node-mixin-deep is vulnerable to prototype pollution (#932500, CVE-2019-10746). Here is a proposed update. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 17cb287..74f9154 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-mixin-deep (1.1.3-3+deb10u1) buster; urgency=medium + + * Fix prototype pollution (Closes: #932500, CVE-2019-10746) + + -- Xavier Guimard <y...@debian.org> Sat, 20 Jul 2019 17:41:17 +0200 + node-mixin-deep (1.1.3-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2019-10746.diff b/debian/patches/CVE-2019-10746.diff new file mode 100644 index 0000000..cc4b58a --- /dev/null +++ b/debian/patches/CVE-2019-10746.diff @@ -0,0 +1,41 @@ +Description: Fix for CVE-2019-10746 (prototype pollution) +Author: Jon Schlinkert (https://github.com/jonschlinkert) +Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab +Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 +Bug-Debian: https://bugs.debian.org/932500 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-07-20 + +--- a/index.js ++++ b/index.js +@@ -23,10 +23,9 @@ + */ + + function copy(val, key) { +- if (key === '__proto__') { ++ if (!isValidKey(key)) { + return; + } +- + var obj = this[key]; + if (isObject(val) && isObject(obj)) { + mixinDeep(obj, val); +@@ -47,6 +46,17 @@ + } + + /** ++ * Returns true if `key` is a valid key to use when extending objects. ++ * ++ * @param {String} `key` ++ * @return {Boolean} ++ */ ++ ++function isValidKey(key) { ++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; ++}; ++ ++/** + * Expose `mixinDeep` + */ + diff --git a/debian/patches/series b/debian/patches/series index 9b10403..da1c174 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2018-3719.diff +CVE-2019-10746.diff