[Pkg-javascript-devel] Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1

Fri Apr 21 08:36:54 BST 2023

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-xml2js at packages.debian.org
Control: affects -1 + src:node-xml2js

[ Reason ]
node-xml2js version 0.4.23 allows an external attacker to edit or add new
properties to an object (#1034148, CVE-2023-0842)

[ Impact ]
Medium security issue

[ Tests ]
Sadly test are not enabled in Bullseye

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace {} by Object.create(null)

Cheers,
Yadd
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 628f69a..106d13b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <yadd at debian.org>  Fri, 21 Apr 2023 11:33:31 +0400
+
 node-xml2js (0.2.8-1) unstable; urgency=low
 
   * Upstream update
diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 0000000..cd03e08
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,46 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby <james at coggle.it>
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-04-21
+
+--- a/src/xml2js.coffee
++++ b/src/xml2js.coffee
+@@ -105,12 +105,12 @@
+     charkey = @options.charkey
+ 
+     @saxParser.onopentag = (node) =>
+-      obj = {}
++      obj = Object.create(null)
+       obj[charkey] = ""
+       unless @options.ignoreAttrs
+         for own key of node.attributes
+           if attrkey not of obj and not @options.mergeAttrs
+-            obj[attrkey] = {}
++            obj[attrkey] = Object.create(null)
+           if @options.mergeAttrs
+             obj[key] = node.attributes[key]
+           else
+@@ -158,7 +158,7 @@
+ 
+       # put children into <childkey> property and unfold chars if necessary
+       if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object'
+-        node = {}
++        node = Object.create(null)
+         # separate attributes
+         if @options.attrkey of obj
+           node[@options.attrkey] = obj[@options.attrkey]
+@@ -193,7 +193,7 @@
+         if @options.explicitRoot
+           # avoid circular references
+           old = obj
+-          obj = {}
++          obj = Object.create(null)
+           obj[nodeName] = old
+ 
+         @resultObject = obj
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6b5589b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-0842.patch
