Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package node-jszip [ Reason ] node-jszip is vulnerable to a prototype pollution: rafting a new zip file with filenames set to Object prototype values (e.g __proto__, toString, etc) results in a returned object with a modified prototype instance. [ Impact ] Little security issue. [ Tests ] Sadly test are not launched for this package. [ Risks ] No risk, patch is trivial. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-jszip/3.5.0+dfsg-2
diff --git a/debian/changelog b/debian/changelog index 7994aaf..bbfd736 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-jszip (3.5.0+dfsg-2) unstable; urgency=medium + + * Team upload + * Fix GitHub tags regex + * Fix a null prototype object for this.files (Closes: CVE-2021-23413) + + -- Yadd <[email protected]> Mon, 26 Jul 2021 21:54:02 +0200 + node-jszip (3.5.0+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-23413.patch b/debian/patches/CVE-2021-23413.patch new file mode 100644 index 0000000..7f3e672 --- /dev/null +++ b/debian/patches/CVE-2021-23413.patch @@ -0,0 +1,43 @@ +Description: fix: Use a null prototype object for this.files +Author: Michael Aquilina <[email protected]> +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-07-26 + +--- a/lib/index.js ++++ b/lib/index.js +@@ -19,7 +19,10 @@ + // "folder/" : {...}, + // "folder/data.txt" : {...} + // } +- this.files = {}; ++ // NOTE: we use a null prototype because we do not ++ // want filenames like "toString" coming from a zip file ++ // to overwrite methods and attributes in a normal Object. ++ this.files = Object.create(null); + + this.comment = null; + +--- a/lib/object.js ++++ b/lib/object.js +@@ -179,16 +179,16 @@ + */ + forEach: function(cb) { + var filename, relativePath, file; ++ /* jshint ignore:start */ ++ // ignore warning about unwanted properties because this.files is a null prototype object + for (filename in this.files) { +- if (!this.files.hasOwnProperty(filename)) { +- continue; +- } + file = this.files[filename]; + relativePath = filename.slice(this.root.length, filename.length); + if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root + cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn... + } + } ++ /* jshint ignore:end */ + }, + + /** diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..b0d53b4 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-23413.patch diff --git a/debian/watch b/debian/watch index 46895cc..4525548 100644 --- a/debian/watch +++ b/debian/watch @@ -4,4 +4,4 @@ repacksuffix=+dfsg,\ repack,compression=xz,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-jszip-$1.tar.gz/ \ - https://github.com/Stuk/jszip/tags .*/archive/v?([\d\.]+).tar.gz + https://github.com/Stuk/jszip/tags .*/archive/.*/v?([\d\.]+).tar.gz
