[Pkg-javascript-devel] Bug#1102478: bookworm-pu: package node-serialize-javascript/6.0.0-2+deb12u1
Yadd
yadd at debian.org
Wed Apr 9 12:59:03 BST 2025
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-serialize-javascript at packages.debian.org, yadd at debian.org
Control: affects -1 + src:node-serialize-javascript
User: release.debian.org at packages.debian.org
Usertags: pu
[ Reason ]
A flaw was found in npm-serialize-javascript. The vulnerability occurs
because the serialize-javascript module does not properly sanitize
certain inputs, such as regex or other JavaScript object types, allowing
an attacker to inject malicious code. This code could be executed when
deserialized by a web browser, causing Cross-site scripting (XSS) attacks.
This issue is critical in environments where serialized data is sent to web
clients, potentially compromising the security of the website or web
application using this package (#1095767, CVE-2024-11831).
[ Impact ]
Medium security issue
[ Tests ]
Patch contains new tests.
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better check of remote parameters
Cheers,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index c0b369d..2a488d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-serialize-javascript (6.0.0-2+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Serialize URL string contents to prevent XSS
+ (Closes: #1095767, CVE-2024-11831)
+
+ -- Yadd <yadd at debian.org> Wed, 09 Apr 2025 13:54:59 +0200
+
node-serialize-javascript (6.0.0-2) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/patches/CVE-2024-11831.patch b/debian/patches/CVE-2024-11831.patch
new file mode 100644
index 0000000..481529f
--- /dev/null
+++ b/debian/patches/CVE-2024-11831.patch
@@ -0,0 +1,43 @@
+Description: serialize URL string contents to prevent XSS
+Author: Ryan Delaney <ryan at reverecre.com>
+Origin: upstream, https://github.com/yahoo/serialize-javascript/commit/f27d65d3
+Bug: https://github.com/yahoo/serialize-javascript/pull/173
+Bug-Debian: https://bugs.debian.org/1095767
+Forwarded: not-needed
+Applied-Upstream: 6.0.2, commit:f27d65d3
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2025-04-09
+
+--- a/index.js
++++ b/index.js
+@@ -258,7 +258,7 @@
+ }
+
+ if (type === 'L') {
+- return "new URL(\"" + urls[valueIndex].toString() + "\")";
++ return "new URL(" + serialize(urls[valueIndex].toString(), options) + ")";
+ }
+
+ var fn = functions[valueIndex];
+--- a/test/unit/serialize.js
++++ b/test/unit/serialize.js
+@@ -455,8 +455,8 @@
+ describe('URL', function () {
+ it('should serialize URL', function () {
+ var u = new URL('https://x.com/')
+- expect(serialize(u)).to.equal('new URL("https://x.com/")');
+- expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https://x.com/")]}');
++ expect(serialize(u)).to.equal('new URL("https:\\u002F\\u002Fx.com\\u002F")');
++ expect(serialize({t: [u]})).to.be.a('string').equal('{"t":[new URL("https:\\u002F\\u002Fx.com\\u002F")]}');
+ });
+
+ it('should deserialize URL', function () {
+@@ -471,6 +471,8 @@
+ expect(serialize('</script>')).to.equal('"\\u003C\\u002Fscript\\u003E"');
+ expect(JSON.parse(serialize('</script>'))).to.equal('</script>');
+ expect(eval(serialize('</script>'))).to.equal('</script>');
++ expect(serialize(new URL('x:</script>'))).to.equal('new URL("x:\\u003C\\u002Fscript\\u003E")');
++ expect(eval(serialize(new URL('x:</script>'))).href).to.equal('x:</script>');
+ });
+ });
+
diff --git a/debian/patches/series b/debian/patches/series
index dc84184..d36ddb9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
2001_privacy.patch
+CVE-2024-11831.patch
More information about the Pkg-javascript-devel
mailing list