[Pkg-javascript-devel] Bug#994974: Bug#994974: node-define-property: Please deembed and fix vulnereability
Bastien ROUCARIES
roucaries.bastien at gmail.com
Fri Sep 24 10:36:19 BST 2021
Le ven. 24 sept. 2021 à 08:16, Jonas Smedegaard <jonas at jones.dk> a écrit :
>
> Hi Bastien,
>
> Quoting Bastien Roucariès (2021-09-24 09:49:37)
> > Package: node-define-property
> > Severity: serious
> > Tags: security upstream fixed-upstream
> > Justification: security bug
> > Forwarded: https://github.com/jonschlinkert/define-property/pull/6
> > X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> >
> > Dear Maintainer,
> >
> > According to
> > https://www.npmjs.com/advisories/1490
> > node-define-property is vulnerable
> >
> >
> > Because it embed small modules that are vulnerable.
>
> Sorry, I don't see the advisory mentioning define-property anywhere, and
> don't see our actual code calling "constructor" anywhere, as seems to be
> what the security in the advisory is about.
>
> Your reference to a PR 6 seems to be tied to an older version of
> define-property than in Debian.
>
> Please elaborate how this vulnerability affects code in Debian.
>
>
> > Embdeding is bad and we have here another proof
>
> I was puzzled at first, but think I now understand your point:
>
> Embedding in general is not necessarily bad but is complex to do right -
> embedding without proper tracking is bad.
Yes it is lack of README.Sources, lack of lintian tag
>
> What confused me is that at first I thought you were ranting about
> Debian practice of embedding, but it seems you are ranting about lack of
> tracking of (either upstream or Debian-introduced) embedding. Do I
> understand that correctly?
Yes it is
Fixed nevertheless
>
> Thanks for reporting, regardless,
>
> - Jonas
>
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
>
> [x] quote me freely [ ] ask before reusing [ ] keep private
More information about the Pkg-javascript-devel
mailing list