[Pkg-javascript-devel] Bug#934704: buster-pu: package node-lodash/4.17.11+dfsg-2+deb10u1

Xavier Guimard yadd at debian.org
Tue Aug 13 18:07:32 BST 2019


Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu

Hi all,

node-lodash is vulnerable to prototype pollution (#933079,
CVE-2019-10744). I imported upstream fix in the attached debdiff.

Cheers,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 70f10cb..880adff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-lodash (4.17.11+dfsg-2+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #933079, CVE-2019-10744)
+
+ -- Xavier Guimard <yadd at debian.org>  Tue, 13 Aug 2019 19:02:17 +0200
+
 node-lodash (4.17.11+dfsg-2) unstable; urgency=medium
 
   * Drop modules directory (now generated from source)
diff --git a/debian/patches/CVE-2019-10744.patch b/debian/patches/CVE-2019-10744.patch
new file mode 100644
index 0000000..bdf0936
--- /dev/null
+++ b/debian/patches/CVE-2019-10744.patch
@@ -0,0 +1,34 @@
+Description: fix for CVE-2019-10744
+Author: Xavier Guimard <yadd at debian.org>
+Origin: upstream, https://github.com/lodash/lodash/pull/4336/files
+Bug: https://github.com/lodash/lodash/issues/4348
+Bug-Debian: https://bugs.debian.org/933079
+Forwarded: not-needed
+Last-Update: 2019-08-13
+
+--- a/dist/lodash.js
++++ b/dist/lodash.js
+@@ -6613,6 +6613,10 @@
+      * @returns {*} Returns the property value.
+      */
+     function safeGet(object, key) {
++      if (key === 'constructor' && typeof object[key] === 'function') {
++        return;
++      }
++
+       if (key == '__proto__') {
+         return;
+       }
+--- a/lodash.js
++++ b/lodash.js
+@@ -6613,6 +6613,10 @@
+      * @returns {*} Returns the property value.
+      */
+     function safeGet(object, key) {
++      if (key === 'constructor' && typeof object[key] === 'function') {
++        return;
++      }
++
+       if (key == '__proto__') {
+         return;
+       }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..2dd5579
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-10744.patch


More information about the Pkg-javascript-devel mailing list