[Pkg-javascript-devel] Bug#1084983: Bug#1084983: node-dompurify: CVE-2024-47875
Yadd
yadd at debian.org
Wed Oct 30 07:21:58 GMT 2024
Erratum
On 10/30/24 06:38, Yadd wrote:
> On 10/19/24 15:32, Salvatore Bonaccorso wrote:
>> Hi Yadd, hi Moritz,
>>
>> On Sat, Oct 12, 2024 at 07:37:45PM +0200, Yadd wrote:
>>> On 10/12/24 18:08, Moritz Mühlenhoff wrote:
>>>> On Sat, Oct 12, 2024 at 04:14:14PM +0200, Yadd wrote:
>>>>> Hi,
>>>>>
>>>>> here is a debdiff for bookworm
>>>>
>>>> Please upload to security-master, thanks!
>>>>
>>>> Cheers,
>>>> Moritz
>>>
>>> Hi,
>>>
>>> it's done
>>
>> Please correct me if I'm wrong, but haven't we here introduced now
>> CVE-2024-45801 for bookworm?
>>
>> The GHSA-gx9m-whjm-85jf mentioned to be cautious when cherry-picking
>> commits, in fact the commit 0ef5e537a514f904b6aa1d7ad9e749e365d7185f
>> introduces then CVE-2024-45801.
>>
>> Do we need now a followup to fix node-dompurify in bookworm for
>> CVE-2024-45801?
>>
>> Regards,
>> Salvatore
>
> Hi,
>
> you're right. Here is a proposed fix
>
> Best regards,
> Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 02c7a01..83e86fc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-dompurify (2.4.1+dfsg+~2.4.0-2+deb12u1) bookworm; urgency=medium
+
+ * Fix prototype pollution (Closes: CVE-2024-45801)
+
+ -- Yadd <yadd at debian.org> Wed, 30 Oct 2024 06:36:27 +0100
+
node-dompurify (2.4.1+dfsg+~2.4.0-2) bookworm-security; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2024-45801.patch b/debian/patches/CVE-2024-45801.patch
new file mode 100644
index 0000000..3aa90c4
--- /dev/null
+++ b/debian/patches/CVE-2024-45801.patch
@@ -0,0 +1,74 @@
+Description: fix prototype pollution
+ Regression introduced into 2.4.1+dfsg+~2.4.0-2
+Author: Mario Heiderich <mario at cure53.de>
+Origin: upstream, https://github.com/cure53/DOMPurify/commit/26e1d69c
+Bug: https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
+Forwarded: not-needed
+Applied-Upstream: 2.5.1, https://github.com/cure53/DOMPurify/commit/26e1d69c
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-10-30
+
+--- a/src/purify.js
++++ b/src/purify.js
+@@ -14,6 +14,7 @@
+ stringToString,
+ stringIndexOf,
+ stringTrim,
++ numberIsNaN,
+ regExpTest,
+ typeErrorCreate,
+ lookupGetter,
+@@ -1484,8 +1485,14 @@
+ }
+ }
+
+- /* Remove first element node (ours) if FORCE_BODY is set */
+- if (body && FORCE_BODY) {
++ /*
++ * Remove an element if nested too deeply to avoid mXSS
++ * or if the __depth might have been tampered with
++ */
++ if (
++ shadowNode.__depth >= MAX_NESTING_DEPTH ||
++ numberIsNaN(shadowNode.__depth)
++ ) {
+ _forceRemove(body.firstChild);
+ }
+
+@@ -1520,8 +1527,14 @@
+ }
+ }
+
+- /* Remove an element if nested too deeply to avoid mXSS */
+- if (currentNode.__depth >= MAX_NESTING_DEPTH) {
++ /*
++ * Remove an element if nested too deeply to avoid mXSS
++ * or if the __depth might have been tampered with
++ */
++ if (
++ currentNode.__depth >= MAX_NESTING_DEPTH ||
++ numberIsNaN(currentNode.__depth)
++ ) {
+ _forceRemove(currentNode);
+ }
+
+--- a/src/utils.js
++++ b/src/utils.js
+@@ -50,6 +50,8 @@
+
+ const typeErrorCreate = unconstruct(TypeError);
+
++const numberIsNaN = unapply(Number.isNaN);
++
+ export function unapply(func) {
+ return (thisArg, ...args) => apply(func, thisArg, args);
+ }
+@@ -155,6 +157,8 @@
+ stringToLowerCase,
+ stringToString,
+ stringTrim,
++ // Number
++ numberIsNaN,
+ // Errors
+ typeErrorCreate,
+ // Other
diff --git a/debian/patches/series b/debian/patches/series
index d5a92ec..09fa08f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2024-47875.patch
+CVE-2024-45801.patch
More information about the Pkg-javascript-devel
mailing list