[Pkg-javascript-devel] Bug#994974: Bug#994974: node-define-property: Please deembed and fix vulnereability
Jonas Smedegaard
jonas at jones.dk
Fri Sep 24 09:16:31 BST 2021
Hi Bastien,
Quoting Bastien Roucariès (2021-09-24 09:49:37)
> Package: node-define-property
> Severity: serious
> Tags: security upstream fixed-upstream
> Justification: security bug
> Forwarded: https://github.com/jonschlinkert/define-property/pull/6
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
>
> Dear Maintainer,
>
> According to
> https://www.npmjs.com/advisories/1490
> node-define-property is vulnerable
>
>
> Because it embed small modules that are vulnerable.
Sorry, I don't see the advisory mentioning define-property anywhere, and
don't see our actual code calling "constructor" anywhere, as seems to be
what the security in the advisory is about.
Your reference to a PR 6 seems to be tied to an older version of
define-property than in Debian.
Please elaborate how this vulnerability affects code in Debian.
> Embdeding is bad and we have here another proof
I was puzzled at first, but think I now understand your point:
Embedding in general is not necessarily bad but is complex to do right -
embedding without proper tracking is bad.
What confused me is that at first I thought you were ranting about
Debian practice of embedding, but it seems you are ranting about lack of
tracking of (either upstream or Debian-introduced) embedding. Do I
understand that correctly?
Thanks for reporting, regardless,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20210924/099b513a/attachment.sig>
More information about the Pkg-javascript-devel
mailing list