Bug#972694: buster-pu: package node-object-path/0.11.4-2+deb10u1

2020-10-24 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Thu, 2020-10-22 at 18:44 +0200, Xavier Guimard wrote:
> node-object-path is vulnerable to a prototype pollution (CVE-2020-
> 15256)

Please go ahead.

Regards,

Adam

Bug#972694: buster-pu: package node-object-path/0.11.4-2+deb10u1

2020-10-22 Thread Xavier Guimard 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-object-path is vulnerable to a prototype pollution (CVE-2020-15256)

[ Impact ]
Little prototype vulnerability available

[ Tests ]
Upstream test change seems to big to be included here (see link in
patch).

[ Risks ]
Low risk, patch just adds a check on prototype

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just a new security check
diff --git a/debian/changelog b/debian/changelog
index f85777e..da6bfd9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-object-path (0.11.4-2+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution in set() (Closes: CVE-2020-15256)
+
+ -- Xavier Guimard   Thu, 22 Oct 2020 18:38:10 +0200
+
 node-object-path (0.11.4-2) unstable; urgency=medium
 
   * Update Vcs fields for migration to https://salsa.debian.org/
diff --git a/debian/patches/CVE-2020-15256.diff 
b/debian/patches/CVE-2020-15256.diff
new file mode 100644
index 000..97ee479
--- /dev/null
+++ b/debian/patches/CVE-2020-15256.diff
@@ -0,0 +1,21 @@
+Description: Fix prototype pollution in set()
+Author: Mario Casciaro 
+Origin: upstream, https://github.com/mariocasciaro/object-path/commit/2be3354c6
+Bug: 
https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-10-22
+
+--- a/index.js
 b/index.js
+@@ -105,6 +105,10 @@
+   }
+   var currentPath = path[0];
+   var currentValue = getShallowProperty(obj, currentPath);
++  if (options.includeInheritedProps && (currentPath === '__proto__' ||
++(currentPath === 'constructor' && typeof currentValue === 
'function'))) {
++throw new Error('For security reasons, object\'s magic properties 
cannot be set')
++  }
+   if (path.length === 1) {
+ if (currentValue === void 0 || !doNotReplace) {
+   obj[currentPath] = value;
diff --git a/debian/patches/series b/debian/patches/series
index f99effd..f80fc45 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 port-to-chai4.patch
+CVE-2020-15256.diff