[Pkg-javascript-devel] Bug#1028992: bullseye-pu: package node-json5/2.1.3-2+deb11u1
Yadd
yadd at debian.org
Mon Jan 16 03:38:34 GMT 2023
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-json5 at packages.debian.org
Control: affects -1 + src:node-json5
[ Reason ]
node-json5 is vulnerable to prototype pollution (CVE-2022-46175)
[ Impact ]
Medium security issue
[ Tests ]
New tests added, passed
[ Risks ]
Low risk, patch is simle and test passed
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Cheers,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index fef8d26..0aa0bd6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-json5 (2.1.3-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * add __proto__ to objects and arrays (Closes: CVE-2022-46175)
+
+ -- Yadd <yadd at debian.org> Mon, 16 Jan 2023 07:34:31 +0400
+
node-json5 (2.1.3-2) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/CVE-2022-46175.patch b/debian/patches/CVE-2022-46175.patch
new file mode 100644
index 0000000..1b2acc6
--- /dev/null
+++ b/debian/patches/CVE-2022-46175.patch
@@ -0,0 +1,91 @@
+Description: add __proto__ to objects and arrays
+Author: Jordan Tucker <jordanbtucker at gmail.com>
+Origin: upstream, https://github.com/json5/json5/commit/4a8c4568
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-01-16
+
+--- a/CHANGELOG.md
++++ b/CHANGELOG.md
+@@ -340,5 +340,6 @@
+ [#182]: https://github.com/json5/json5/issues/182
+ [#187]: https://github.com/json5/json5/issues/187
+ [#196]: https://github.com/json5/json5/issues/196
++[#199]: https://github.com/json5/json5/issues/199
+ [#208]: https://github.com/json5/json5/issues/208
+ [#210]: https://github.com/json5/json5/issues/210
+--- a/lib/parse.js
++++ b/lib/parse.js
+@@ -41,15 +41,35 @@
+
+ function internalize (holder, name, reviver) {
+ const value = holder[name]
+- if (value != null && typeof value === 'object') {
+- for (const key in value) {
+- const replacement = internalize(value, key, reviver)
+- if (replacement === undefined) {
+- delete value[key]
+- } else {
+- value[key] = replacement
+- }
++ if (Array.isArray(value)) {
++ for (let i = 0; i < value.length; i++) {
++ const key = String(i)
++ const replacement = internalize(value, key, reviver)
++ if (replacement === undefined) {
++ delete value[key]
++ } else {
++ Object.defineProperty(value, key, {
++ value: replacement,
++ writable: true,
++ enumerable: true,
++ configurable: true,
++ })
++ }
++ }
++ } else {
++ for (const key in value) {
++ const replacement = internalize(value, key, reviver)
++ if (replacement === undefined) {
++ delete value[key]
++ } else {
++ Object.defineProperty(value, key, {
++ value: replacement,
++ writable: true,
++ enumerable: true,
++ configurable: true,
++ })
+ }
++ }
+ }
+
+ return reviver.call(holder, name, value)
+@@ -973,7 +993,12 @@
+ if (Array.isArray(parent)) {
+ parent.push(value)
+ } else {
+- parent[key] = value
++ Object.defineProperty(parent, key, {
++ value,
++ writable: true,
++ enumerable: true,
++ configurable: true,
++ })
+ }
+ }
+
+--- a/test/parse.js
++++ b/test/parse.js
+@@ -293,6 +293,12 @@
+ )
+
+ t.strictSame(
++ JSON5.parse('{"__proto__":1}').__proto__,
++ 1,
++ 'preserves __proto__ property names',
++ )
++
++ t.strictSame(
+ JSON5.parse('{a:{b:2}}', (k, v) => (k === 'b') ? 'revived' : v),
+ {a: {b: 'revived'}},
+ 'modifies nested object property values'
diff --git a/debian/patches/series b/debian/patches/series
index dc10249..f55f44a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
update-unicode.diff
ship_typescript_definitions.patch
+CVE-2022-46175.patch
More information about the Pkg-javascript-devel
mailing list