[Pkg-javascript-devel] Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5

Yadd yadd at debian.org
Fri Apr 21 08:16:32 BST 2023 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-xml2js at packages.debian.org
Control: affects -1 + src:node-xml2js

Please unblock package node-xml2js

[ Reason ]
node-xml2js version 0.4.23 allows an external attacker to edit or add new
properties to an object (#1034148, CVE-2023-0842)

[ Impact ]
Medium security issue

[ Tests ]
Test updates, passed

[ Risks ]
Low risk, patch is trivial and tested

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-xml2js/0.4.23+~cs15.4.0+dfsg-5
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 98492d7..9d9dac7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium
+
+  * Team upload
+  * Update standards version to 4.6.2, no changes needed.
+  * Update nodejs dependency to nodejs:any
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <yadd at debian.org>  Fri, 21 Apr 2023 11:11:13 +0400
+
 node-xml2js (0.4.23+~cs15.4.0+dfsg-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index dc4d6d0..406a88d 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends:
  , node-sax <!nocheck>
  , dh-sequence-nodejs
  , node-diff
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-xml2js
 Vcs-Git: https://salsa.debian.org/js-team/node-xml2js.git
 Homepage: https://github.com/Leonidas-from-XIV/node-xml2js
@@ -21,8 +21,8 @@ Architecture: all
 Depends:
  ${misc:Depends}
  , node-sax
- , nodejs
  , node-diff
+ , nodejs:any
 Provides: ${nodejs:Provides}
 Description: simple XML to JavaScript object converter - Node.js module
  xml2js parses XML using node-sax and converts it to a plain JavaScript
diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 0000000..3d80ed9
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,103 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby <james at coggle.it>
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-04-21
+
+--- a/src/parser.coffee
++++ b/src/parser.coffee
+@@ -103,12 +103,12 @@
+     charkey = @options.charkey
+ 
+     @saxParser.onopentag = (node) =>
+-      obj = {}
++      obj = Object.create(null)
+       obj[charkey] = ""
+       unless @options.ignoreAttrs
+         for own key of node.attributes
+           if attrkey not of obj and not @options.mergeAttrs
+-            obj[attrkey] = {}
++            obj[attrkey] = Object.create(null)
+           newValue = if @options.attrValueProcessors then processItem(@options.attrValueProcessors, node.attributes[key], key) else node.attributes[key]
+           processedKey = if @options.attrNameProcessors then processItem(@options.attrNameProcessors, key) else key
+           if @options.mergeAttrs
+@@ -161,7 +161,7 @@
+       # put children into <childkey> property and unfold chars if necessary
+       if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
+         if not @options.preserveChildrenOrder
+-          node = {}
++          node = Object.create(null)
+           # separate attributes
+           if @options.attrkey of obj
+             node[@options.attrkey] = obj[@options.attrkey]
+@@ -179,7 +179,7 @@
+           # append current node onto parent's <childKey> array
+           s[@options.childkey] = s[@options.childkey] or []
+           # push a clone so that the node in the children array can receive the #name property while the original obj can do without it
+-          objClone = {}
++          objClone = Object.create(null)
+           for own key of obj
+             objClone[key] = obj[key]
+           s[@options.childkey].push objClone
+@@ -196,7 +196,7 @@
+         if @options.explicitRoot
+           # avoid circular references
+           old = obj
+-          obj = {}
++          obj = Object.create(null)
+           obj[nodeName] = old
+ 
+         @resultObject = obj
+--- a/test/parser.test.coffee
++++ b/test/parser.test.coffee
+@@ -531,13 +531,13 @@
+ 
+   'test single attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase], (r)->
+     console.log 'Result object: ' + util.inspect r, false, 10
+-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'), true
+-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'), true)
++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAMELCASEATTR'), true
++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWERCASEATTR'), true)
+ 
+   'test multiple attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase, nameCutoff], (r)->
+     console.log 'Result object: ' + util.inspect r, false, 10
+-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAME'), true
+-    equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWE'), true)
++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAME'), true
++    equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWE'), true)
+ 
+   'test single attrValueProcessors': skeleton(attrValueProcessors: [nameToUpperCase], (r)->
+     console.log 'Result object: ' + util.inspect r, false, 10
+@@ -559,21 +559,21 @@
+ 
+   'test single tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase], (r)->
+     console.log 'Result object: ' + util.inspect r, false, 10
+-    equ r.hasOwnProperty('SAMPLE'), true
+-    equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true)
++    equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
++    equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true)
+ 
+   'test single tagNameProcessors in simple callback': (test) ->
+     fs.readFile fileName, (err, data) ->
+       xml2js.parseString data, tagNameProcessors: [nameToUpperCase], (err, r)->
+         console.log 'Result object: ' + util.inspect r, false, 10
+-        equ r.hasOwnProperty('SAMPLE'), true
+-        equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true
++        equ {}.hasOwnProperty.call(r, 'SAMPLE'), true
++        equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true
+         test.finish()
+ 
+   'test multiple tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase, nameCutoff], (r)->
+     console.log 'Result object: ' + util.inspect r, false, 10
+-    equ r.hasOwnProperty('SAMP'), true
+-    equ r.SAMP.hasOwnProperty('TAGN'), true)
++    equ {}.hasOwnProperty.call(r, 'SAMP'), true
++    equ {}.hasOwnProperty.call(r.SAMP, 'TAGN'), true)
+ 
+   'test attrValueProcessors key param': skeleton(attrValueProcessors: [replaceValueByName], (r)->
+     console.log 'Result object: ' + util.inspect r, false, 10
diff --git a/debian/patches/series b/debian/patches/series
index 2840ff2..c9bf5bb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 fix-for-coffeescript-2.patch
 drop-test-not-compatible-with-coffe-2.patch
+CVE-2023-0842.patch

More information about the Pkg-javascript-devel mailing list