Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-tough-coo...@packages.debian.org
Control: affects -1 + src:node-tough-cookie
[ Reason ]
node-tough-cookie is vulnerable to prototype pollution
[ Impact ]
Littel security issue
[ Tests ]
Test updated, passed
[ Risks ]
No risk, patch is trivial and tested
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Create new object instead of using default {}
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3652359..84339cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-tough-cookie (4.0.0-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2023-26136)
+
+ -- Yadd <y...@debian.org> Sun, 09 Jul 2023 08:32:32 +0400
+
node-tough-cookie (4.0.0-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-26136.patch
b/debian/patches/CVE-2023-26136.patch
new file mode 100644
index 0000000..05e6372
--- /dev/null
+++ b/debian/patches/CVE-2023-26136.patch
@@ -0,0 +1,71 @@
+Description: Fix prototype pollution
+ CVE-2023-26136
+Author: Yadd <y...@debian.org>
+Forwarded: not-needed
+Last-Update: 2023-07-07
+
+--- a/lib/memstore.js
++++ b/lib/memstore.js
+@@ -39,7 +39,7 @@
+ constructor() {
+ super();
+ this.synchronous = true;
+- this.idx = {};
++ this.idx = Object.create(null);
+ if (util.inspect.custom) {
+ this[util.inspect.custom] = this.inspect;
+ }
+@@ -109,10 +109,10 @@
+
+ putCookie(cookie, cb) {
+ if (!this.idx[cookie.domain]) {
+- this.idx[cookie.domain] = {};
++ this.idx[cookie.domain] = Object.create(null);
+ }
+ if (!this.idx[cookie.domain][cookie.path]) {
+- this.idx[cookie.domain][cookie.path] = {};
++ this.idx[cookie.domain][cookie.path] = Object.create(null);
+ }
+ this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+ cb(null);
+@@ -144,7 +144,7 @@
+ return cb(null);
+ }
+ removeAllCookies(cb) {
+- this.idx = {};
++ this.idx = Object.create(null);
+ return cb(null);
+ }
+ getAllCookies(cb) {
+--- a/test/cookie_jar_test.js
++++ b/test/cookie_jar_test.js
+@@ -669,4 +669,29 @@
+ }
+ }
+ })
++ .addBatch({
++ "Issue #282 - Prototype pollution": {
++ "when setting a cookie with the domain __proto__": {
++ topic: function() {
++ const jar = new tough.CookieJar(undefined, {
++ rejectPublicSuffixes: false
++ });
++ // try to pollute the prototype
++ jar.setCookieSync(
++ "Slonser=polluted; Domain=__proto__; Path=/notauth",
++ "https://__proto__/admin";
++ );
++ jar.setCookieSync(
++ "Auth=Lol; Domain=google.com; Path=/notauth",
++ "https://google.com/";
++ );
++ this.callback();
++ },
++ "results in a cookie that is not affected by the attempted prototype
pollution": function() {
++ const pollutedObject = {};
++ assert(pollutedObject["/notauth"] === undefined);
++ }
++ }
++ }
++ })
+ .export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..67af372
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26136.patch
