[Pkg-javascript-devel] Bug#926650: unblock: node-deep-extend/0.4.1-2

Xavier Guimard yadd at debian.org
Mon Apr 8 14:11:21 BST 2019


Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package node-deep-extend

Hi all,

node-deep-extend is vulnerable to CVE-2018-3750 [1]. This vulnerability
has been tagged as unimportant, however patch is simple and package is
outdated (VCS fields, bad section, bad copyright years) and upstream tests
were not enabled. I fixed this in version 0.4.1-2. Here is the full changes:

  * Add patch to prevent Object prototype pollution
    (Closes: #926616, CVE-2018-3750)
  * Enable upstream tests using pkg-js-tools
  * Fix VCS fields
  * Fix debian/copyright years
  * Add upstream/metadata
  * Change section to javascript

node-deep-extend has no build reverse dependencies.

Reverse dependencies:
  node-rc
    node-registry-url & node-registry-auth-token
      node-package-json
        node-latest-version
          npm
  	  npm2deb
    node-pre-gyp
      node-sqlite3
        node-mbtiles
        node-tilejson
        node-millstone
      node-zipfile
        node-millstone
      node-mapnik
        node-tilelive-bridge
        node-tilelive-vector
        node-tilelive-mapnik
      node-opencv

Since patch seems to have no consequences on normal node-deep-extend
usage, I think it is low risky to unblock node-deep-extend.
Patch comes from
https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
(I just taked the useful part of it).

Cheers,
Xavier

[1]: https://security-tracker.debian.org/tracker/CVE-2018-3750

unblock node-deep-extend/0.4.1-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 5b0e688..e4e0c2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,18 @@
+node-deep-extend (0.4.1-2) unstable; urgency=medium
+
+  * Team upload
+  * Add patch to prevent Object prototype pollution
+    (Closes: #926616, CVE-2018-3750)
+  * Enable upstream tests using pkg-js-tools
+  * Fix VCS fields
+  * Fix debian/copyright years
+  * Add upstream/metadata
+  * Change section to javascript
+
+ -- Xavier Guimard <yadd at debian.org>  Mon, 08 Apr 2019 14:52:06 +0200
+
 node-deep-extend (0.4.1-1) unstable; urgency=medium
 
-  * Initial release 
+  * Initial release
 
  -- Thorsten Alteholz <debian at alteholz.de>  Mon, 22 Feb 2016 18:16:21 +0100
-
diff --git a/debian/control b/debian/control
index 72892ea..4db1cb8 100644
--- a/debian/control
+++ b/debian/control
@@ -1,22 +1,24 @@
 Source: node-deep-extend
-Section: web
-Priority: optional
 Maintainer: Debian Javascript Maintainers <pkg-javascript-devel at lists.alioth.debian.org>
 Uploaders: Thorsten Alteholz <debian at alteholz.de>
-Build-Depends:
- debhelper (>= 9)
- , dh-buildinfo
- , nodejs
-Standards-Version: 3.9.7
+Section: javascript
+Testsuite: autopkgtest-pkg-nodejs
+Priority: optional
+Build-Depends: debhelper (>= 9),
+               dh-buildinfo,
+               mocha,
+               nodejs,
+               node-should,
+               pkg-js-tools
+Standards-Version: 4.3.0
+Vcs-Browser: https://salsa.debian.org/js-team/node-deep-extend
+Vcs-Git: https://salsa.debian.org/js-team/node-deep-extend.git
 Homepage: https://github.com/unclechu/node-deep-extend
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-deep-extend.git
-Vcs-Browser: https://anonscm.debian.org/gitweb/?p=pkg-javascript/node-deep-extend.git
 
 Package: node-deep-extend
 Architecture: all
-Depends:
- ${misc:Depends}
- , nodejs
+Depends: ${misc:Depends},
+         nodejs
 Description: Recursive object extending
  This module does a recursive object extending.
  .
diff --git a/debian/copyright b/debian/copyright
index 28c1d90..a1f8541 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,14 +1,14 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: deep-extend
 Upstream-Contact: https://github.com/unclechu/node-deep-extend/issues
 Source: https://github.com/unclechu/node-deep-extend
 
 Files: *
-Copyright: 2016 Viacheslav Lotsmanov <lotsmanov89 at gmail.com>
+Copyright: 2013-2015, Viacheslav Lotsmanov <lotsmanov89 at gmail.com>
 License: Expat
 
 Files: debian/*
-Copyright: 2016 Thorsten Alteholz <debian at alteholz.de>
+Copyright: 2016, Thorsten Alteholz <debian at alteholz.de>
 License: Expat
 
 License: Expat
@@ -31,4 +31,3 @@ License: Expat
  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  SOFTWARE.
-
diff --git a/debian/patches/cve-2018-3750.diff b/debian/patches/cve-2018-3750.diff
new file mode 100644
index 0000000..429af12
--- /dev/null
+++ b/debian/patches/cve-2018-3750.diff
@@ -0,0 +1,29 @@
+Description: Fix for CVE-2018-3750
+Author: Xavier Guimard <yadd at debian.org>
+Origin: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
+Bug: https://security-tracker.debian.org/tracker/CVE-2018-3750
+Bug-Debian: https://bugs.debian.org/926616
+Forwarded: https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
+Last-Update: 2019-04-08
+
+--- a/lib/deep-extend.js
++++ b/lib/deep-extend.js
+@@ -102,8 +102,8 @@
+ 		}
+ 
+ 		Object.keys(obj).forEach(function (key) {
+-			src = target[key]; // source value
+-			val = obj[key]; // new value
++			src = safeGetProperty(target, key); // source value
++			val = safeGetProperty(obj, key); // new value
+ 
+ 			// recursion prevention
+ 			if (val === target) {
+@@ -142,3 +142,7 @@
+ 
+ 	return target;
+ }
++
++function safeGetProperty(object, property) {
++  return property === '__proto__' ? undefined : object[property];
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4b4ad1b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+cve-2018-3750.diff
diff --git a/debian/rules b/debian/rules
index de57af0..20809a4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,11 +5,4 @@
 #export DH_VERBOSE=1
 
 %:
-	dh $@
-
-#override_dh_auto_build:
-
-#override_dh_auto_test:
-
-
-
+	dh $@ --with nodejs
diff --git a/debian/tests/control b/debian/tests/control
deleted file mode 100644
index 2cdc011..0000000
--- a/debian/tests/control
+++ /dev/null
@@ -1,2 +0,0 @@
-Tests: require
-Depends: node-deep-extend
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
new file mode 100644
index 0000000..91500a6
--- /dev/null
+++ b/debian/tests/pkg-js/test
@@ -0,0 +1 @@
+mocha --timeout 10000
diff --git a/debian/tests/require b/debian/tests/require
deleted file mode 100644
index 3711396..0000000
--- a/debian/tests/require
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-nodejs -e "require('deep-extend');"
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..4be43f6
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/unclechu/node-deep-extend/issues
+Contact: https://github.com/unclechu/node-deep-extend/issues
+Name: node-deep-extend
+Repository: https://github.com/unclechu/node-deep-extend.git
+Repository-Browse: https://github.com/unclechu/node-deep-extend


More information about the Pkg-javascript-devel mailing list