[Pkg-javascript-devel] Bug#926616: CVE-2018-3750: Prototype Pollution
Jeff Cliff
jeffrey.cliff at gmail.com
Sun Apr 7 23:22:00 BST 2019
Package: node-deep-extend
Version: 0.4.1-1
Severity: important
Dear Maintainer,
As per the ubuntu bug report:
from https://snyk.io/vuln/npm:deep-extend:20180409 :
deep-extend "all the listed modules can be tricked into modifying the prototype of "Object"
when the attacker control part of the structure passed to these function."
This is verifiably true on at least buster, given the PoC listed in the above URL, but
since it's the same deep-extend in sid, it's probably the same there.
The following commit apparently fixes this: (though I haven't verified that)
https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages node-deep-extend depends on:
ii nodejs 10.15.2~dfsg-1
node-deep-extend recommends no packages.
node-deep-extend suggests no packages.
-- debconf-show failed
More information about the Pkg-javascript-devel
mailing list