Bug#972903: buster-pu: package node-pathval/1.1.0-3+deb10u1

2020-11-19 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2020-10-26 at 04:49 +0100, Xavier Guimard wrote:
> node-pathval is vulnerable to a prototype pollution (CVE-2020-7751,
> #972895)
> 

Please go ahead.

Regards,

Adam

Bug#972903: buster-pu: package node-pathval/1.1.0-3+deb10u1

2020-10-25 Thread Xavier Guimard 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-pathval is vulnerable to a prototype pollution (CVE-2020-7751,
#972895)

[ Impact ]
Little security risk

[ Tests ]
The same patch is applied to debian/sid (same version) and tests are
enabled (and succeeds of course)

[ Risks ]
No risk, patch just adds a check

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just one check
diff --git a/debian/changelog b/debian/changelog
index 91b3ad0..05749be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-pathval (1.1.0-3+deb10u1) buster; urgency=medium
+
+  * Fix prototype pollution (Closes: #972895, CVE-2020-7751)
+
+ -- Xavier Guimard   Mon, 26 Oct 2020 04:44:16 +0100
+
 node-pathval (1.1.0-3) unstable; urgency=medium
 
   * Point d/watch to /releases instead of /tags.
diff --git a/debian/patches/CVE-2020-7751.diff 
b/debian/patches/CVE-2020-7751.diff
new file mode 100644
index 000..7d1ed9a
--- /dev/null
+++ b/debian/patches/CVE-2020-7751.diff
@@ -0,0 +1,21 @@
+Description: fix prototype pollution
+Author: Adam Gold 
+Origin: upstream, https://github.com/chaijs/pathval/commit/21a9046
+Bug: https://snyk.io/vuln/SNYK-JS-PATHVAL-596926
+Bug-Debian: https://bugs.debian.org/972895
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-10-25
+
+--- a/index.js
 b/index.js
+@@ -76,6 +76,9 @@
+   var str = path.replace(/([^\\])\[/g, '$1.[');
+   var parts = str.match(/(\\\.|[^.]+?)+/g);
+   return parts.map(function mapMatches(value) {
++if (value === "constructor" || value === "__proto__" || value === 
"prototype") {
++  return {}
++}
+ var regexp = /^\[(\d+)\]$/;
+ var mArr = regexp.exec(value);
+ var parsed = null;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..2c7bbd9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7751.diff