Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit : > Source: node-set-value > Version: 0.4.0-1 > Severity: important > Tags: security upstream > Control: found -1 3.0.0-1 > > Hi, > > The following vulnerability was published for node-set-value. > > CVE-2019-10747[0]: > | set-value is vulnerable to Prototype Pollution in versions lower than > | 3.0.1. The function mixin-deep could be tricked into adding or > | modifying properties of Object.prototype using any of the constructor, > | prototype and _proto_ payloads. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10747 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747 > [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
Hi, here is a patch for Buster Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 49d174b..871978a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-set-value (0.4.0-1+deb10u1) buster-security; urgency=medium + + * Fix prototype pollution (Closes: #941189, CVE-2019-10747) + + -- Xavier Guimard <y...@debian.org> Thu, 26 Sep 2019 07:27:54 +0200 + node-set-value (0.4.0-1) unstable; urgency=low * Initial release (Closes: #842255) diff --git a/debian/patches/CVE-2019-10747.diff b/debian/patches/CVE-2019-10747.diff new file mode 100644 index 0000000..4f8dd54 --- /dev/null +++ b/debian/patches/CVE-2019-10747.diff @@ -0,0 +1,28 @@ +Description: Fix prototype pollution +Author: Jon Schlinkert (https://github.com/jonschlinkert) +Origin: upstream, https://github.com/jonschlinkert/set-value/commit/cb12f149 +Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 +Bug-Debian: https://bugs.debian.org/941189 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-09-26 + +--- a/index.js ++++ b/index.js +@@ -24,7 +24,7 @@ + return obj; + } + +- var segs = path.split('.'); ++ var segs = path.split('.').filter(isValidKey); + var len = segs.length, i = -1; + var res = obj; + var last; +@@ -59,3 +59,7 @@ + } + return res; + }; ++ ++function isValidKey(key) { ++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype'; ++} diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..ca81722 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2019-10747.diff
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
