[Pkg-javascript-devel] Bug#949121: buster-pu: package node-kind-of/6.0.2+dfsg-1+deb10u1
Xavier Guimard
yadd at debian.org
Fri Jan 17 05:25:29 GMT 2020
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
Hi,
node-kind-of is vulnerable to CVE-2019-20149: it allows external user
input to overwrite certain internal attributes via a conflicting name.
This little patch fixes this issue.
Cheers,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index f69a6ac..93d28bf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-kind-of (6.0.2+dfsg-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * fix type checking vul in ctorName (Closes: #948095, CVE-2019-20149)
+
+ -- Xavier Guimard <yadd at debian.org> Fri, 17 Jan 2020 06:19:37 +0100
+
node-kind-of (6.0.2+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2019-20149.diff b/debian/patches/CVE-2019-20149.diff
new file mode 100644
index 0000000..0129c8e
--- /dev/null
+++ b/debian/patches/CVE-2019-20149.diff
@@ -0,0 +1,20 @@
+Description: fix type checking vul in ctorName
+ CVE-2019-20149
+Author: Brian Woodward
+Bug: https://github.com/jonschlinkert/kind-of/pull/30
+Bug-Debian: https://bugs.debian.org/948095
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2020-01-17
+
+--- a/index.js
++++ b/index.js
+@@ -66,7 +66,7 @@
+ };
+
+ function ctorName(val) {
+- return val.constructor ? val.constructor.name : null;
++ return typeof val.constructor === 'function' ? val.constructor.name : null;
+ }
+
+ function isArray(val) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4228152
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-20149.diff
More information about the Pkg-javascript-devel
mailing list