Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ] node-set-value is vulnerable to prototype pollution (#994448, CVE-2021-23440) [ Impact ] Medium vulnerability [ Tests ] New test added, inspired from PoC [ Risks ] No risk, patch itself is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] New check to verify key Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index a836bdb..1ae7498 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-set-value (3.0.1-2+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #994448, CVE-2021-23440) + * Add test for CVE-2021-23440 + + -- Yadd <y...@debian.org> Thu, 16 Sep 2021 18:17:19 +0200 + node-set-value (3.0.1-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-23440.patch b/debian/patches/CVE-2021-23440.patch new file mode 100644 index 0000000..55a96f3 --- /dev/null +++ b/debian/patches/CVE-2021-23440.patch @@ -0,0 +1,20 @@ +Description: fix prototype pollution + Inspired from https://github.com/jonschlinkert/set-value/pull/33/files +Author: Yadd <y...@debian.org> +Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541 +Bug-Debian: https://bugs.debian.org/994448 +Forwarded: not-needed +Last-Update: 2021-09-16 + +--- a/index.js ++++ b/index.js +@@ -99,6 +99,9 @@ + } + + function isValidKey(key) { ++ if (typeof key !== 'string' && typeof key !== 'number') { ++ key = String(key) ++ } + return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; + } + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..22df165 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-23440.patch diff --git a/debian/tests/CVE-2021-23440 b/debian/tests/CVE-2021-23440 new file mode 100755 index 0000000..d756ed2 --- /dev/null +++ b/debian/tests/CVE-2021-23440 @@ -0,0 +1,3 @@ +if node debian/tests/CVE-2021-23440.js; then + exit 1; +fi diff --git a/debian/tests/CVE-2021-23440.js b/debian/tests/CVE-2021-23440.js new file mode 100644 index 0000000..177f1d3 --- /dev/null +++ b/debian/tests/CVE-2021-23440.js @@ -0,0 +1,9 @@ +const set = require("set-value") + +// set({}, ['__proto__','polluted'], 'yes'); +// console.log(polluted); // Error: Cannot set unsafe key: "__proto__" + +set({}, [['__proto__'],'polluted'], 'yes'); +if(polluted && polluted === 'yes') { + console.error('Vulnerable to CVE-2021-23440'); +} diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..b9d4e6c --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,3 @@ +Tests: CVE-2021-23440 +Depends: @, nodejs +Restrictions: allow-stderr
