Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-y18n is vulnerable to prototype pollution [ Impact ] Little security risk [ Tests ] Test added in autopkgtest, and verified: fails without patch, succeeds with patch [ Risks ] Low risk, upstream test + CVE test shows that all works [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just a little change in variable initialization Note: package already uploaded Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 72257ee..d969c10 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-y18n (3.2.1-2+deb10u1) buster; urgency=medium + + * Team upload. + * Fix prototype pollution (Closes: #976390, CVE-2020-7774) + + -- Xavier Guimard <y...@debian.org> Fri, 04 Dec 2020 15:41:08 +0100 + node-y18n (3.2.1-2) unstable; urgency=medium * Enable tests diff --git a/debian/patches/CVE-2020-7774.patch b/debian/patches/CVE-2020-7774.patch new file mode 100644 index 0000000..2e292c1 --- /dev/null +++ b/debian/patches/CVE-2020-7774.patch @@ -0,0 +1,20 @@ +Description: fix for CVE-2020-7774 +Author: bcoe <ben...@google.com> +Origin: upstream, bcoe <ben...@google.com> +Bug: https://github.com/yargs/y18n/issues/96 +Bug-Debian: https://bugs.debian.org/976390 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-12-04 + +--- a/index.js ++++ b/index.js +@@ -11,7 +11,7 @@ + this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true + + // internal stuff. +- this.cache = {} ++ this.cache = Object.create(null) + this.writeQueue = [] + } + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..7d69b10 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2020-7774.patch diff --git a/debian/tests/CVE-2020-7774-check b/debian/tests/CVE-2020-7774-check new file mode 100755 index 0000000..8b5ff40 --- /dev/null +++ b/debian/tests/CVE-2020-7774-check @@ -0,0 +1,14 @@ +#!/usr/bin/nodejs + +const y18n = require('y18n')(); +//var polluted; +y18n.setLocale('__proto__'); +y18n.updateLocale({polluted: true}); +try { +if(polluted) console.error('Vulnerable to CVE-2020-7774'); +process.exit(polluted); +} +catch(e) { +console.log('Not vulnerable to CVE-2020-7774'); +process.exit(0); +} diff --git a/debian/tests/control b/debian/tests/control index 57de701..b19a2bc 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1,4 +1,4 @@ -Tests: require +Tests: require, CVE-2020-7774-check Depends: node-y18n Test-Command: mocha -R spec
