Your message dated Mon, 08 Apr 2019 14:33:51 +0000
with message-id <[email protected]>
and subject line unblock node-deep-extend
has caused the Debian Bug report #926650,
regarding unblock: node-deep-extend/0.4.1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
926650: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926650
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package node-deep-extend
Hi all,
node-deep-extend is vulnerable to CVE-2018-3750 [1]. This vulnerability
has been tagged as unimportant, however patch is simple and package is
outdated (VCS fields, bad section, bad copyright years) and upstream tests
were not enabled. I fixed this in version 0.4.1-2. Here is the full changes:
* Add patch to prevent Object prototype pollution
(Closes: #926616, CVE-2018-3750)
* Enable upstream tests using pkg-js-tools
* Fix VCS fields
* Fix debian/copyright years
* Add upstream/metadata
* Change section to javascript
node-deep-extend has no build reverse dependencies.
Reverse dependencies:
node-rc
node-registry-url & node-registry-auth-token
node-package-json
node-latest-version
npm
npm2deb
node-pre-gyp
node-sqlite3
node-mbtiles
node-tilejson
node-millstone
node-zipfile
node-millstone
node-mapnik
node-tilelive-bridge
node-tilelive-vector
node-tilelive-mapnik
node-opencv
Since patch seems to have no consequences on normal node-deep-extend
usage, I think it is low risky to unblock node-deep-extend.
Patch comes from
https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
(I just taked the useful part of it).
Cheers,
Xavier
[1]: https://security-tracker.debian.org/tracker/CVE-2018-3750
unblock node-deep-extend/0.4.1-2
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 5b0e688..e4e0c2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,18 @@
+node-deep-extend (0.4.1-2) unstable; urgency=medium
+
+ * Team upload
+ * Add patch to prevent Object prototype pollution
+ (Closes: #926616, CVE-2018-3750)
+ * Enable upstream tests using pkg-js-tools
+ * Fix VCS fields
+ * Fix debian/copyright years
+ * Add upstream/metadata
+ * Change section to javascript
+
+ -- Xavier Guimard <[email protected]> Mon, 08 Apr 2019 14:52:06 +0200
+
node-deep-extend (0.4.1-1) unstable; urgency=medium
- * Initial release
+ * Initial release
-- Thorsten Alteholz <[email protected]> Mon, 22 Feb 2016 18:16:21 +0100
-
diff --git a/debian/control b/debian/control
index 72892ea..4db1cb8 100644
--- a/debian/control
+++ b/debian/control
@@ -1,22 +1,24 @@
Source: node-deep-extend
-Section: web
-Priority: optional
Maintainer: Debian Javascript Maintainers
<[email protected]>
Uploaders: Thorsten Alteholz <[email protected]>
-Build-Depends:
- debhelper (>= 9)
- , dh-buildinfo
- , nodejs
-Standards-Version: 3.9.7
+Section: javascript
+Testsuite: autopkgtest-pkg-nodejs
+Priority: optional
+Build-Depends: debhelper (>= 9),
+ dh-buildinfo,
+ mocha,
+ nodejs,
+ node-should,
+ pkg-js-tools
+Standards-Version: 4.3.0
+Vcs-Browser: https://salsa.debian.org/js-team/node-deep-extend
+Vcs-Git: https://salsa.debian.org/js-team/node-deep-extend.git
Homepage: https://github.com/unclechu/node-deep-extend
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-deep-extend.git
-Vcs-Browser:
https://anonscm.debian.org/gitweb/?p=pkg-javascript/node-deep-extend.git
Package: node-deep-extend
Architecture: all
-Depends:
- ${misc:Depends}
- , nodejs
+Depends: ${misc:Depends},
+ nodejs
Description: Recursive object extending
This module does a recursive object extending.
.
diff --git a/debian/copyright b/debian/copyright
index 28c1d90..a1f8541 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,14 +1,14 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: deep-extend
Upstream-Contact: https://github.com/unclechu/node-deep-extend/issues
Source: https://github.com/unclechu/node-deep-extend
Files: *
-Copyright: 2016 Viacheslav Lotsmanov <[email protected]>
+Copyright: 2013-2015, Viacheslav Lotsmanov <[email protected]>
License: Expat
Files: debian/*
-Copyright: 2016 Thorsten Alteholz <[email protected]>
+Copyright: 2016, Thorsten Alteholz <[email protected]>
License: Expat
License: Expat
@@ -31,4 +31,3 @@ License: Expat
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-
diff --git a/debian/patches/cve-2018-3750.diff
b/debian/patches/cve-2018-3750.diff
new file mode 100644
index 0000000..429af12
--- /dev/null
+++ b/debian/patches/cve-2018-3750.diff
@@ -0,0 +1,29 @@
+Description: Fix for CVE-2018-3750
+Author: Xavier Guimard <[email protected]>
+Origin:
https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
+Bug: https://security-tracker.debian.org/tracker/CVE-2018-3750
+Bug-Debian: https://bugs.debian.org/926616
+Forwarded:
https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
+Last-Update: 2019-04-08
+
+--- a/lib/deep-extend.js
++++ b/lib/deep-extend.js
+@@ -102,8 +102,8 @@
+ }
+
+ Object.keys(obj).forEach(function (key) {
+- src = target[key]; // source value
+- val = obj[key]; // new value
++ src = safeGetProperty(target, key); // source value
++ val = safeGetProperty(obj, key); // new value
+
+ // recursion prevention
+ if (val === target) {
+@@ -142,3 +142,7 @@
+
+ return target;
+ }
++
++function safeGetProperty(object, property) {
++ return property === '__proto__' ? undefined : object[property];
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4b4ad1b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+cve-2018-3750.diff
diff --git a/debian/rules b/debian/rules
index de57af0..20809a4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,11 +5,4 @@
#export DH_VERBOSE=1
%:
- dh $@
-
-#override_dh_auto_build:
-
-#override_dh_auto_test:
-
-
-
+ dh $@ --with nodejs
diff --git a/debian/tests/control b/debian/tests/control
deleted file mode 100644
index 2cdc011..0000000
--- a/debian/tests/control
+++ /dev/null
@@ -1,2 +0,0 @@
-Tests: require
-Depends: node-deep-extend
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
new file mode 100644
index 0000000..91500a6
--- /dev/null
+++ b/debian/tests/pkg-js/test
@@ -0,0 +1 @@
+mocha --timeout 10000
diff --git a/debian/tests/require b/debian/tests/require
deleted file mode 100644
index 3711396..0000000
--- a/debian/tests/require
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-nodejs -e "require('deep-extend');"
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..4be43f6
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/unclechu/node-deep-extend/issues
+Contact: https://github.com/unclechu/node-deep-extend/issues
+Name: node-deep-extend
+Repository: https://github.com/unclechu/node-deep-extend.git
+Repository-Browse: https://github.com/unclechu/node-deep-extend
--- End Message ---
--- Begin Message ---
Unblocked node-deep-extend.
--- End Message ---
