[Pkg-javascript-devel] Bug#1086611: bookworm-pu: package node-dompurify/2.4.1+dfsg+~2.4.0-2+deb12u1
Yadd
yadd at debian.org
Sat Nov 2 06:20:27 GMT 2024
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-dompurify at packages.debian.org, yadd at debian.org
Control: affects -1 + src:node-dompurify
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
node-dompurify is vulnerable to prototype pollutions.
Note that CVE-2024-45801 cae with previous security fix pushed to
Bookworm via security update (regression).
[ Impact ]
Low security issue
[ Tests ]
No tests in Bookworm for this package
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just some additional checks
Best regards,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 02c7a01..e9a5528 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-dompurify (2.4.1+dfsg+~2.4.0-2+deb12u1) bookworm; urgency=medium
+
+ * Fix prototype pollutions (Closes: CVE-2024-45801, CVE-2024-48910)
+
+ -- Yadd <yadd at debian.org> Sat, 02 Nov 2024 07:15:24 +0100
+
node-dompurify (2.4.1+dfsg+~2.4.0-2) bookworm-security; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2024-45801.patch b/debian/patches/CVE-2024-45801.patch
new file mode 100644
index 0000000..3aa90c4
--- /dev/null
+++ b/debian/patches/CVE-2024-45801.patch
@@ -0,0 +1,74 @@
+Description: fix prototype pollution
+ Regression introduced into 2.4.1+dfsg+~2.4.0-2
+Author: Mario Heiderich <mario at cure53.de>
+Origin: upstream, https://github.com/cure53/DOMPurify/commit/26e1d69c
+Bug: https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
+Forwarded: not-needed
+Applied-Upstream: 2.5.1, https://github.com/cure53/DOMPurify/commit/26e1d69c
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-10-30
+
+--- a/src/purify.js
++++ b/src/purify.js
+@@ -14,6 +14,7 @@
+ stringToString,
+ stringIndexOf,
+ stringTrim,
++ numberIsNaN,
+ regExpTest,
+ typeErrorCreate,
+ lookupGetter,
+@@ -1484,8 +1485,14 @@
+ }
+ }
+
+- /* Remove first element node (ours) if FORCE_BODY is set */
+- if (body && FORCE_BODY) {
++ /*
++ * Remove an element if nested too deeply to avoid mXSS
++ * or if the __depth might have been tampered with
++ */
++ if (
++ shadowNode.__depth >= MAX_NESTING_DEPTH ||
++ numberIsNaN(shadowNode.__depth)
++ ) {
+ _forceRemove(body.firstChild);
+ }
+
+@@ -1520,8 +1527,14 @@
+ }
+ }
+
+- /* Remove an element if nested too deeply to avoid mXSS */
+- if (currentNode.__depth >= MAX_NESTING_DEPTH) {
++ /*
++ * Remove an element if nested too deeply to avoid mXSS
++ * or if the __depth might have been tampered with
++ */
++ if (
++ currentNode.__depth >= MAX_NESTING_DEPTH ||
++ numberIsNaN(currentNode.__depth)
++ ) {
+ _forceRemove(currentNode);
+ }
+
+--- a/src/utils.js
++++ b/src/utils.js
+@@ -50,6 +50,8 @@
+
+ const typeErrorCreate = unconstruct(TypeError);
+
++const numberIsNaN = unapply(Number.isNaN);
++
+ export function unapply(func) {
+ return (thisArg, ...args) => apply(func, thisArg, args);
+ }
+@@ -155,6 +157,8 @@
+ stringToLowerCase,
+ stringToString,
+ stringTrim,
++ // Number
++ numberIsNaN,
+ // Errors
+ typeErrorCreate,
+ // Other
diff --git a/debian/patches/CVE-2024-48910.patch b/debian/patches/CVE-2024-48910.patch
new file mode 100644
index 0000000..41ccf65
--- /dev/null
+++ b/debian/patches/CVE-2024-48910.patch
@@ -0,0 +1,20 @@
+Description: fix prototype pollution
+Author: Mario Heiderich <mario at cure53.de>
+Origin: upstream, https://github.com/cure53/DOMPurify/commit/d1dd0374
+Bug: https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr
+Forwarded: not-needed
+Applied-Upstream: 2.4.2
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-11-02
+
+--- a/src/utils.js
++++ b/src/utils.js
+@@ -97,7 +97,7 @@
+
+ let property;
+ for (property in object) {
+- if (apply(hasOwnProperty, object, [property])) {
++ if (apply(hasOwnProperty, object, [property]) === true) {
+ newObject[property] = object[property];
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index d5a92ec..5e38c3a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
CVE-2024-47875.patch
+CVE-2024-45801.patch
+CVE-2024-48910.patch
More information about the Pkg-javascript-devel
mailing list