Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, node-dot ≤ 1.1.2 is vulnerable to code execution after prototype pollution. I imported upstream fix and wrote a basic test to verify that CVE is really fixed. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 6b07063..9face10 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-dot (1.1.1-1+deb10u1) buster; urgency=medium + + * Team upload + * Add CVE-2020-8141 test + * Prevent code execution after prototype pollution (Closes: CVE-2020-8141) + + -- Xavier Guimard <y...@debian.org> Sat, 21 Mar 2020 09:23:57 +0100 + node-dot (1.1.1-1) unstable; urgency=low * Initial release (Closes: #862235) diff --git a/debian/patches/CVE-2020-8141.diff b/debian/patches/CVE-2020-8141.diff new file mode 100644 index 0000000..f1ceb77 --- /dev/null +++ b/debian/patches/CVE-2020-8141.diff @@ -0,0 +1,21 @@ +Description: fix for CVE-2020-8141 + prevent possibility of execution of the code injected via prototype pollution + when undefined is passed to compiled template function +Author: Evgeny Poberezkin +Origin: upstream, https://github.com/olado/doT/commit/2cf222683 +Bug: https://github.com/olado/doT/issues/291 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-03-21 + +--- a/index.js ++++ b/index.js +@@ -42,7 +42,7 @@ + if (this.__destination[this.__destination.length-1] !== '/') this.__destination += '/'; + this.__global = o.global || "window.render"; + this.__rendermodule = o.rendermodule || {}; +- this.__settings = o.templateSettings ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined; ++ this.__settings = Object.prototype.hasOwnProperty.call(o,"templateSettings") ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined; + this.__includes = {}; + } + diff --git a/debian/patches/series b/debian/patches/series index a2a471b..4216fcb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ use-nodejs.patch +CVE-2020-8141.diff diff --git a/debian/rules b/debian/rules index fd7ead0..7af6067 100755 --- a/debian/rules +++ b/debian/rules @@ -11,3 +11,7 @@ override_dh_auto_test: mocha -R spec test/*.test.js + mkdir node_modules + ln -s .. node_modules/dot + sh -ex debian/tests/cve-2020-8141 + rm -rf node_modules diff --git a/debian/tests/control b/debian/tests/control index ac27cb1..362b343 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -3,3 +3,6 @@ Depends: node-dot Test-Command: mocha -R spec test/*.test.js Depends: @, mocha + +Tests: cve-2020-8141 +Depends: @, nodejs diff --git a/debian/tests/cve-2020-8141 b/debian/tests/cve-2020-8141 new file mode 100755 index 0000000..0a0b214 --- /dev/null +++ b/debian/tests/cve-2020-8141 @@ -0,0 +1,9 @@ +#!/bin/sh + +cd debian/tests +if node ./cve-2020-8141.js | grep 25; then + echo "node-dot is vulnerable to CVE 2020-8141" + exit 1 +else + echo "node-dot seems patched" +fi diff --git a/debian/tests/cve-2020-8141.js b/debian/tests/cve-2020-8141.js new file mode 100644 index 0000000..94f3639 --- /dev/null +++ b/debian/tests/cve-2020-8141.js @@ -0,0 +1,3 @@ +var doT = require("dot"); // prototype pollution attack vector +Object.prototype.templateSettings = {varname:"a,b,c,d,x=console.log(25)"}; // benign looking template compilation + application +var dots = require("dot").process({path: "./resources"}); dots.mytemplate(); diff --git a/debian/tests/resources/mytemplate.dot b/debian/tests/resources/mytemplate.dot new file mode 100644 index 0000000..75e06f7 --- /dev/null +++ b/debian/tests/resources/mytemplate.dot @@ -0,0 +1 @@ +html <h1>Here is a sample template</h1>