Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected] Control: affects -1 + src:node-json5
[ Reason ] node-json5 is vulnerable to prototype pollution (CVE-2022-46175) [ Impact ] Medium security issue [ Tests ] New tests added, passed [ Risks ] Low risk, patch is simle and test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index fef8d26..0aa0bd6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-json5 (2.1.3-2+deb11u1) bullseye; urgency=medium + + * Team upload + * add __proto__ to objects and arrays (Closes: CVE-2022-46175) + + -- Yadd <[email protected]> Mon, 16 Jan 2023 07:34:31 +0400 + node-json5 (2.1.3-2) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2022-46175.patch b/debian/patches/CVE-2022-46175.patch new file mode 100644 index 0000000..1b2acc6 --- /dev/null +++ b/debian/patches/CVE-2022-46175.patch @@ -0,0 +1,91 @@ +Description: add __proto__ to objects and arrays +Author: Jordan Tucker <[email protected]> +Origin: upstream, https://github.com/json5/json5/commit/4a8c4568 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2023-01-16 + +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -340,5 +340,6 @@ + [#182]: https://github.com/json5/json5/issues/182 + [#187]: https://github.com/json5/json5/issues/187 + [#196]: https://github.com/json5/json5/issues/196 ++[#199]: https://github.com/json5/json5/issues/199 + [#208]: https://github.com/json5/json5/issues/208 + [#210]: https://github.com/json5/json5/issues/210 +--- a/lib/parse.js ++++ b/lib/parse.js +@@ -41,15 +41,35 @@ + + function internalize (holder, name, reviver) { + const value = holder[name] +- if (value != null && typeof value === 'object') { +- for (const key in value) { +- const replacement = internalize(value, key, reviver) +- if (replacement === undefined) { +- delete value[key] +- } else { +- value[key] = replacement +- } ++ if (Array.isArray(value)) { ++ for (let i = 0; i < value.length; i++) { ++ const key = String(i) ++ const replacement = internalize(value, key, reviver) ++ if (replacement === undefined) { ++ delete value[key] ++ } else { ++ Object.defineProperty(value, key, { ++ value: replacement, ++ writable: true, ++ enumerable: true, ++ configurable: true, ++ }) ++ } ++ } ++ } else { ++ for (const key in value) { ++ const replacement = internalize(value, key, reviver) ++ if (replacement === undefined) { ++ delete value[key] ++ } else { ++ Object.defineProperty(value, key, { ++ value: replacement, ++ writable: true, ++ enumerable: true, ++ configurable: true, ++ }) + } ++ } + } + + return reviver.call(holder, name, value) +@@ -973,7 +993,12 @@ + if (Array.isArray(parent)) { + parent.push(value) + } else { +- parent[key] = value ++ Object.defineProperty(parent, key, { ++ value, ++ writable: true, ++ enumerable: true, ++ configurable: true, ++ }) + } + } + +--- a/test/parse.js ++++ b/test/parse.js +@@ -293,6 +293,12 @@ + ) + + t.strictSame( ++ JSON5.parse('{"__proto__":1}').__proto__, ++ 1, ++ 'preserves __proto__ property names', ++ ) ++ ++ t.strictSame( + JSON5.parse('{a:{b:2}}', (k, v) => (k === 'b') ? 'revived' : v), + {a: {b: 'revived'}}, + 'modifies nested object property values' diff --git a/debian/patches/series b/debian/patches/series index dc10249..f55f44a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ update-unicode.diff ship_typescript_definitions.patch +CVE-2022-46175.patch
