Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] dojo is vulnerable to prototype pollution (#1014785, CVE-2021-23450) [ Impact ] Medium vulnerability [ Tests ] No new test here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index bf5c2b47..b861b5a0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.15.4+dfsg1-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1014785, CVE-2021-23450) + + -- Yadd <y...@debian.org> Fri, 16 Sep 2022 10:42:57 +0200 + dojo (1.15.4+dfsg1-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-23450.patch b/debian/patches/CVE-2021-23450.patch new file mode 100644 index 00000000..fe66d089 --- /dev/null +++ b/debian/patches/CVE-2021-23450.patch @@ -0,0 +1,22 @@ +Description: Fix for CVE-2021-23450, prototype pollution +Author: Sanchit Chadha +Bug-Debian: https://bugs.debian.org/970501 +Origin: upstream, https://github.com/dojo/dojo/commit/b7b8b279 +Bug-Debian: https://bugs.debian.org/1014785 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-09-16 + +--- a/dojo/_base/lang.js ++++ b/dojo/_base/lang.js +@@ -31,6 +31,10 @@ + try{ + for(var i = 0; i < parts.length; i++){ + var p = parts[i]; ++ // Fix for prototype pollution CVE-2021-23450 ++ if (p === '__proto__' || p === 'constructor') { ++ return; ++ } + if(!(p in context)){ + if(create){ + context[p] = {}; diff --git a/debian/patches/series b/debian/patches/series index c75b2155..0436f059 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 0002-Do-notrun-test-suite-in-build.patch 0003-Disable-flash-storage.patch 0004-Fix-shrinksafe-tests-with-new-rhino.patch +CVE-2021-23450.patch