Your message dated Sun, 21 Apr 2019 16:18:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#927699: unblock: node-mixin-deep/1.1.3-3
has caused the Debian Bug report #927699,
regarding unblock: node-mixin-deep/1.1.3-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
927699: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927699
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package node-mixin-deep
Hi all,
node-mixin-deep is vulnerable to a prototype pollution[1]. I fixed this
using upstream commit. Full changes:
* Add upstream/metadata
* Declare compliance with policy 4.3.0
* Change section to javascript
* Fix prototype pollution (Closes: #898315, CVE-2018-3719)
* Switch tests to pkg-js-tools
* Fix VCS fields
* Fix debian/copyright
Main reverse-dependencies:
- webpack
- gulp
- rollup & rollup plugins
Change on installed files is just a control to avoid prototype pollution
(see debian/patches/CVE-2018-3719.diff). So I think it is low risky to
upgrade node-mixin-deep.
Cheers,
Xavier
[1]: https://security-tracker.debian.org/tracker/CVE-2018-3719
https://bugs.debian.org/898315
unblock node-mixin-deep/1.1.3-3
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500,
'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 2e47d2e..17cb287 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+node-mixin-deep (1.1.3-3) unstable; urgency=medium
+
+ * Team upload
+ * Back to debhelper 9 (Buster freeze)
+
+ -- Xavier Guimard <[email protected]> Sun, 21 Apr 2019 14:34:56 +0200
+
+node-mixin-deep (1.1.3-2) unstable; urgency=medium
+
+ * Team upload
+ * Add upstream/metadata
+ * Declare compliance with policy 4.3.0
+ * Change section to javascript
+ * Fix prototype pollution (Closes: #898315, CVE-2018-3719)
+ * Switch tests to pkg-js-tools
+ * Fix VCS fields
+ * Fix debian/copyright
+
+ -- Xavier Guimard <[email protected]> Sun, 21 Apr 2019 14:24:15 +0200
+
node-mixin-deep (1.1.3-1) unstable; urgency=low
* Initial release (Closes: #842329)
diff --git a/debian/control b/debian/control
index bf5ce1c..a305397 100644
--- a/debian/control
+++ b/debian/control
@@ -1,8 +1,9 @@
Source: node-mixin-deep
-Section: web
+Section: javascript
Priority: optional
Maintainer: Debian Javascript Maintainers
<[email protected]>
Uploaders: Sruthi Chandran <[email protected]>
+Testsuite: autopkgtest-pkg-nodejs
Build-Depends:
debhelper (>= 9)
, dh-buildinfo
@@ -11,10 +12,11 @@ Build-Depends:
, node-should
, node-is-extendable (>= 0.1.1)
, node-for-in (>= 0.1.4)
-Standards-Version: 3.9.8
+ , pkg-js-tools
+Standards-Version: 4.3.0
Homepage: https://github.com/jonschlinkert/mixin-deep
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-mixin-deep.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-mixin-deep.git
+Vcs-Browser: https://salsa.debian.org/js-team/node-mixin-deep
+Vcs-Git: https://salsa.debian.org/js-team/node-mixin-deep.git
Package: node-mixin-deep
Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 1e90e8f..42f57f3 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,10 +1,10 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: mixin-deep
Upstream-Contact: https://github.com/jonschlinkert/mixin-deep/issues
Source: https://github.com/jonschlinkert/mixin-deep
Files: *
-Copyright: 2016 Jon Schlinkert (https://github.com/jonschlinkert)
+Copyright: 2014-2015 Jon Schlinkert (https://github.com/jonschlinkert)
License: Expat
Files: debian/*
@@ -31,4 +31,3 @@ License: Expat
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-
diff --git a/debian/patches/CVE-2018-3719.diff
b/debian/patches/CVE-2018-3719.diff
new file mode 100644
index 0000000..868f5bb
--- /dev/null
+++ b/debian/patches/CVE-2018-3719.diff
@@ -0,0 +1,22 @@
+Description: Fix prototype pollution (CVE-2018-3719)
+Author: Jon Schlinkert <https://github.com/jonschlinkert>
+Origin: upstream,
https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c
+Bug: https://www.npmjs.com/advisories/578
+Bug-Debian: https://bugs.debian.org/898315
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2019-04-21
+
+--- a/index.js
++++ b/index.js
+@@ -23,6 +23,10 @@
+ */
+
+ function copy(val, key) {
++ if (key === '__proto__') {
++ return;
++ }
++
+ var obj = this[key];
+ if (isObject(val) && isObject(obj)) {
+ mixinDeep(obj, val);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9b10403
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-3719.diff
diff --git a/debian/rules b/debian/rules
index 9eb6b18..20809a4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,11 +5,4 @@
#export DH_VERBOSE=1
%:
- dh $@
-
-#override_dh_auto_build:
-
-override_dh_auto_test:
- mocha -R spec
-
-
+ dh $@ --with nodejs
diff --git a/debian/tests/control b/debian/tests/control
deleted file mode 100644
index 588a506..0000000
--- a/debian/tests/control
+++ /dev/null
@@ -1,5 +0,0 @@
-Tests: require
-Depends: node-mixin-deep
-
-Test-Command: mocha -R spec
-Depends: @, @builddeps@
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
new file mode 100644
index 0000000..00882e2
--- /dev/null
+++ b/debian/tests/pkg-js/test
@@ -0,0 +1 @@
+mocha -R spec --timeout 10000
diff --git a/debian/tests/require b/debian/tests/require
deleted file mode 100644
index 02a037e..0000000
--- a/debian/tests/require
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-nodejs -e "require('mixin-deep');"
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..120af8f
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/jonschlinkert/mixin-deep/issues
+Contact: https://github.com/jonschlinkert/mixin-deep/issues
+Name: mixin-deep
+Repository: https://github.com/jonschlinkert/mixin-deep.git
+Repository-Browse: https://github.com/jonschlinkert/mixin-deep
--- End Message ---
--- Begin Message ---
Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package node-mixin-deep
>
> Hi all,
>
> node-mixin-deep is vulnerable to a prototype pollution[1]. I fixed this
> using upstream commit. Full changes:
> * Add upstream/metadata
> * Declare compliance with policy 4.3.0
> * Change section to javascript
> * Fix prototype pollution (Closes: #898315, CVE-2018-3719)
> * Switch tests to pkg-js-tools
> * Fix VCS fields
> * Fix debian/copyright
>
> Main reverse-dependencies:
> - webpack
> - gulp
> - rollup & rollup plugins
>
> Change on installed files is just a control to avoid prototype pollution
> (see debian/patches/CVE-2018-3719.diff). So I think it is low risky to
> upgrade node-mixin-deep.
>
> Cheers,
> Xavier
>
> [1]: https://security-tracker.debian.org/tracker/CVE-2018-3719
> https://bugs.debian.org/898315
>
> unblock node-mixin-deep/1.1.3-3
>
> [...]
Unblocked, thanks.
~Niels
--- End Message ---
