[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution
Xavier
yadd at debian.org
Sat Jul 20 16:44:05 BST 2019
Le 20/07/2019 à 06:32, Paolo Greppi a écrit :
> Package: node-mixin-deep
> Version: 1.1.3-3
> Severity: important
>
> Dear Maintainer,
>
> node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability:
> https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
> https://github.com/jonschlinkert/mixin-deep/issues/6
>
> Please upgrade to either 1.3.2 or 2.0.1.
>
> Thanks, Paolo
Hello,
here is a proposed fix.
Cheers,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 17cb287..74f9154 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mixin-deep (1.1.3-3+deb10u1) buster-security; urgency=medium
+
+ * Fix prototype pollution (Closes: #932500, CVE-2019-10746)
+
+ -- Xavier Guimard <yadd at debian.org> Sat, 20 Jul 2019 17:41:17 +0200
+
node-mixin-deep (1.1.3-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2019-10746.diff b/debian/patches/CVE-2019-10746.diff
new file mode 100644
index 0000000..cc4b58a
--- /dev/null
+++ b/debian/patches/CVE-2019-10746.diff
@@ -0,0 +1,41 @@
+Description: Fix for CVE-2019-10746 (prototype pollution)
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab
+Bug: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
+Bug-Debian: https://bugs.debian.org/932500
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2019-07-20
+
+--- a/index.js
++++ b/index.js
+@@ -23,10 +23,9 @@
+ */
+
+ function copy(val, key) {
+- if (key === '__proto__') {
++ if (!isValidKey(key)) {
+ return;
+ }
+-
+ var obj = this[key];
+ if (isObject(val) && isObject(obj)) {
+ mixinDeep(obj, val);
+@@ -47,6 +46,17 @@
+ }
+
+ /**
++ * Returns true if `key` is a valid key to use when extending objects.
++ *
++ * @param {String} `key`
++ * @return {Boolean}
++ */
++
++function isValidKey(key) {
++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++};
++
++/**
+ * Expose `mixinDeep`
+ */
+
diff --git a/debian/patches/series b/debian/patches/series
index 9b10403..da1c174 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2018-3719.diff
+CVE-2019-10746.diff
More information about the Pkg-javascript-devel
mailing list