[Pkg-javascript-devel] Bug#941189: Bug#941189: node-set-value: CVE-2019-10747
Xavier
yadd at debian.org
Thu Sep 26 06:31:21 BST 2019
Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit :
> Source: node-set-value
> Version: 0.4.0-1
> Severity: important
> Tags: security upstream
> Control: found -1 3.0.0-1
>
> Hi,
>
> The following vulnerability was published for node-set-value.
>
> CVE-2019-10747[0]:
> | set-value is vulnerable to Prototype Pollution in versions lower than
> | 3.0.1. The function mixin-deep could be tricked into adding or
> | modifying properties of Object.prototype using any of the constructor,
> | prototype and _proto_ payloads.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-10747
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747
> [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
Hi,
here is a patch for Buster
Cheers,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 49d174b..871978a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-set-value (0.4.0-1+deb10u1) buster-security; urgency=medium
+
+ * Fix prototype pollution (Closes: #941189, CVE-2019-10747)
+
+ -- Xavier Guimard <yadd at debian.org> Thu, 26 Sep 2019 07:27:54 +0200
+
node-set-value (0.4.0-1) unstable; urgency=low
* Initial release (Closes: #842255)
diff --git a/debian/patches/CVE-2019-10747.diff b/debian/patches/CVE-2019-10747.diff
new file mode 100644
index 0000000..4f8dd54
--- /dev/null
+++ b/debian/patches/CVE-2019-10747.diff
@@ -0,0 +1,28 @@
+Description: Fix prototype pollution
+Author: Jon Schlinkert (https://github.com/jonschlinkert)
+Origin: upstream, https://github.com/jonschlinkert/set-value/commit/cb12f149
+Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
+Bug-Debian: https://bugs.debian.org/941189
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2019-09-26
+
+--- a/index.js
++++ b/index.js
+@@ -24,7 +24,7 @@
+ return obj;
+ }
+
+- var segs = path.split('.');
++ var segs = path.split('.').filter(isValidKey);
+ var len = segs.length, i = -1;
+ var res = obj;
+ var last;
+@@ -59,3 +59,7 @@
+ }
+ return res;
+ };
++
++function isValidKey(key) {
++ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ca81722
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-10747.diff
More information about the Pkg-javascript-devel
mailing list