Your message dated Sat, 18 Dec 2021 20:57:56 +0000
with message-id
<7c5e58422d4fd1d02cfae36eca731d5d90ba0743.ca...@adam-barratt.org.uk>
and subject line Closing bugs for p-u requests included in 11.2 (part the deux)
has caused the Debian Bug report #1000377,
regarding bullseye-pu: package node-json-schema/0.3.0+_7.0.6-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1000377: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000377
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
[ Reason ]
node-json-schema is vulnerable to prototype pollution
[ Impact ]
Medium vulnerability
[ Tests ]
Sadly test wre not enable for this package
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just an additional check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index a50007b..bad7788 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-json-schema (0.3.0+~7.0.6-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #999765, CVE-2021-3918)
+
+ -- Yadd <[email protected]> Mon, 22 Nov 2021 10:40:35 +0100
+
node-json-schema (0.3.0+~7.0.6-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/CVE-2021-3918.patch
b/debian/patches/CVE-2021-3918.patch
new file mode 100644
index 0000000..9cba185
--- /dev/null
+++ b/debian/patches/CVE-2021-3918.patch
@@ -0,0 +1,53 @@
+Description: fix Improperly Controlled Modification of Object Prototype
Attributes ('Prototype Pollution')
+ Don't allow __proto__ property to be used for schema default/coerce, fixes
+Author: Kris Zyp <[email protected]>
+Origin: upstream, https://github.com/kriszyp/json-schema/commit/22f14611
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-3918
+Bug-Debian: https://bugs.debian.org/999765
+Forwarded: not-needed
+Reviewed-By: Yadd <[email protected]>
+Last-Update: 2021-11-22
+
+--- a/lib/validate.js
++++ b/lib/validate.js
+@@ -207,7 +207,7 @@
+ }
+
+ for(var i in objTypeDef){
+- if(objTypeDef.hasOwnProperty(i)){
++ if(objTypeDef.hasOwnProperty(i) && i !=
'__proto__'){
+ var value = instance[i];
+ // skip _not_ specified properties
+ if (value === undefined &&
options.existingOnly) continue;
+--- a/test/tests.js
++++ b/test/tests.js
+@@ -92,4 +92,29 @@
+ 'Json-Ref self-validates': assertSelfValidates('json-ref'),
+ 'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
+ 'Json-Ref/Core': assertValidates('json-ref', 'schema')
++ prototypePollution: function() {
++ console.log('testing')
++ const instance = JSON.parse(`
++ {
++ "$schema":{
++ "type": "object",
++ "properties":{
++ "__proto__": {
++ "type": "object",
++ "properties":{
++ "polluted": {
++ "type": "string",
++ "default": "polluted"
++ }
++ }
++ }
++ },
++ "__proto__": {}
++ }
++ }`);
++
++ const a = {};
++ validate(instance);
++ assert.equal(a.polluted, undefined);
++ }
+ }).export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..082cdc9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-3918.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.2
Hi,
Each of the updates referenced by these requests was included in
today's bullseye point release, but my original closure mail failed to
correctly handle 7-digit bug numbers. Fixing that omission now.
Regards,
Adam
--- End Message ---
