[Pkg-javascript-devel] Bug#1084983: Bug#1084983: node-dompurify: CVE-2024-47875

Wed Oct 30 05:38:33 GMT 2024

On 10/19/24 15:32, Salvatore Bonaccorso wrote:
> Hi Yadd, hi Moritz,
> 
> On Sat, Oct 12, 2024 at 07:37:45PM +0200, Yadd wrote:
>> On 10/12/24 18:08, Moritz Mühlenhoff wrote:
>>> On Sat, Oct 12, 2024 at 04:14:14PM +0200, Yadd wrote:
>>>> Hi,
>>>>
>>>> here is a debdiff for bookworm
>>>
>>> Please upload to security-master, thanks!
>>>
>>> Cheers,
>>>           Moritz
>>
>> Hi,
>>
>> it's done
> 
> Please correct me if I'm wrong, but haven't we here introduced now
> CVE-2024-45801 for bookworm?
> 
> The GHSA-gx9m-whjm-85jf mentioned to be cautious when cherry-picking
> commits, in fact the commit 0ef5e537a514f904b6aa1d7ad9e749e365d7185f
> introduces then CVE-2024-45801.
> 
> Do we need now a followup to fix node-dompurify in bookworm for
> CVE-2024-45801?
> 
> Regards,
> Salvatore

Hi,

you're right. Here is a proposed fix

Best regards,
Xavier
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 02c7a01..ce953f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-dompurify (2.4.1+dfsg+~2.4.0-2+deb12u1) bookworm; urgency=medium
+
+  * Fix prototype pollution (Closes: CVE-2024-45801)
+
+ -- Yadd <yadd at debian.org>  Wed, 30 Oct 2024 06:36:27 +0100
+
 node-dompurify (2.4.1+dfsg+~2.4.0-2) bookworm-security; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2024-45801.patch b/debian/patches/CVE-2024-45801.patch
new file mode 100644
index 0000000..6ed6820
--- /dev/null
+++ b/debian/patches/CVE-2024-45801.patch
@@ -0,0 +1,70 @@
+Description: fix prototype pollution
+ Regression introduced into 2.4.1+dfsg+~2.4.0-2
+Author: Mario Heiderich <mario at cure53.de>
+Origin: upstream, https://github.com/cure53/DOMPurify/commit/26e1d69c
+Bug: https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
+Forwarded: not-needed
+Applied-Upstream: 2.5.1, https://github.com/cure53/DOMPurify/commit/26e1d69c
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-10-30
+
+--- a/src/purify.js
++++ b/src/purify.js
+@@ -14,6 +14,7 @@
+   stringToString,
+   stringIndexOf,
+   stringTrim,
++  numberIsNaN,
+   regExpTest,
+   typeErrorCreate,
+   lookupGetter,
+@@ -1486,6 +1487,14 @@
+ 
+     /* Remove first element node (ours) if FORCE_BODY is set */
+     if (body && FORCE_BODY) {
++      /*
++       * Remove an element if nested too deeply to avoid mXSS
++       * or if the __depth might have been tampered with
++       */
++      if (
++        shadowNode.__depth >= MAX_NESTING_DEPTH ||
++        numberIsNaN(shadowNode.__depth)
++      ) {
+       _forceRemove(body.firstChild);
+     }
+ 
+@@ -1522,6 +1531,14 @@
+ 
+       /* Remove an element if nested too deeply to avoid mXSS */
+       if (currentNode.__depth >= MAX_NESTING_DEPTH) {
++        /*
++         * Remove an element if nested too deeply to avoid mXSS
++         * or if the __depth might have been tampered with
++         */
++        if (
++          currentNode.__depth >= MAX_NESTING_DEPTH ||
++          numberIsNaN(currentNode.__depth)
++        ) {
+         _forceRemove(currentNode);
+       }
+ 
+--- a/src/utils.js
++++ b/src/utils.js
+@@ -50,6 +50,8 @@
+ 
+ const typeErrorCreate = unconstruct(TypeError);
+ 
++const numberIsNaN = unapply(Number.isNaN);
++
+ export function unapply(func) {
+   return (thisArg, ...args) => apply(func, thisArg, args);
+ }
+@@ -155,6 +157,8 @@
+   stringToLowerCase,
+   stringToString,
+   stringTrim,
++  // Number
++  numberIsNaN,
+   // Errors
+   typeErrorCreate,
+   // Other
diff --git a/debian/patches/series b/debian/patches/series
index d5a92ec..09fa08f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2024-47875.patch
+CVE-2024-45801.patch
