Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-mixin-deep Hi all, node-mixin-deep is vulnerable to a prototype pollution[1]. I fixed this using upstream commit. Full changes: * Add upstream/metadata * Declare compliance with policy 4.3.0 * Change section to javascript * Fix prototype pollution (Closes: #898315, CVE-2018-3719) * Switch tests to pkg-js-tools * Fix VCS fields * Fix debian/copyright Main reverse-dependencies: - webpack - gulp - rollup & rollup plugins Change on installed files is just a control to avoid prototype pollution (see debian/patches/CVE-2018-3719.diff). So I think it is low risky to upgrade node-mixin-deep. Cheers, Xavier [1]: https://security-tracker.debian.org/tracker/CVE-2018-3719 https://bugs.debian.org/898315 unblock node-mixin-deep/1.1.3-3 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 2e47d2e..17cb287 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,23 @@ +node-mixin-deep (1.1.3-3) unstable; urgency=medium + + * Team upload + * Back to debhelper 9 (Buster freeze) + + -- Xavier Guimard <y...@debian.org> Sun, 21 Apr 2019 14:34:56 +0200 + +node-mixin-deep (1.1.3-2) unstable; urgency=medium + + * Team upload + * Add upstream/metadata + * Declare compliance with policy 4.3.0 + * Change section to javascript + * Fix prototype pollution (Closes: #898315, CVE-2018-3719) + * Switch tests to pkg-js-tools + * Fix VCS fields + * Fix debian/copyright + + -- Xavier Guimard <y...@debian.org> Sun, 21 Apr 2019 14:24:15 +0200 + node-mixin-deep (1.1.3-1) unstable; urgency=low * Initial release (Closes: #842329) diff --git a/debian/control b/debian/control index bf5ce1c..a305397 100644 --- a/debian/control +++ b/debian/control @@ -1,8 +1,9 @@ Source: node-mixin-deep -Section: web +Section: javascript Priority: optional Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Uploaders: Sruthi Chandran <s...@disroot.org> +Testsuite: autopkgtest-pkg-nodejs Build-Depends: debhelper (>= 9) , dh-buildinfo @@ -11,10 +12,11 @@ Build-Depends: , node-should , node-is-extendable (>= 0.1.1) , node-for-in (>= 0.1.4) -Standards-Version: 3.9.8 + , pkg-js-tools +Standards-Version: 4.3.0 Homepage: https://github.com/jonschlinkert/mixin-deep -Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-mixin-deep.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-mixin-deep.git +Vcs-Browser: https://salsa.debian.org/js-team/node-mixin-deep +Vcs-Git: https://salsa.debian.org/js-team/node-mixin-deep.git Package: node-mixin-deep Architecture: all diff --git a/debian/copyright b/debian/copyright index 1e90e8f..42f57f3 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,10 +1,10 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: mixin-deep Upstream-Contact: https://github.com/jonschlinkert/mixin-deep/issues Source: https://github.com/jonschlinkert/mixin-deep Files: * -Copyright: 2016 Jon Schlinkert (https://github.com/jonschlinkert) +Copyright: 2014-2015 Jon Schlinkert (https://github.com/jonschlinkert) License: Expat Files: debian/* @@ -31,4 +31,3 @@ License: Expat ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/debian/patches/CVE-2018-3719.diff b/debian/patches/CVE-2018-3719.diff new file mode 100644 index 0000000..868f5bb --- /dev/null +++ b/debian/patches/CVE-2018-3719.diff @@ -0,0 +1,22 @@ +Description: Fix prototype pollution (CVE-2018-3719) +Author: Jon Schlinkert <https://github.com/jonschlinkert> +Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c +Bug: https://www.npmjs.com/advisories/578 +Bug-Debian: https://bugs.debian.org/898315 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-04-21 + +--- a/index.js ++++ b/index.js +@@ -23,6 +23,10 @@ + */ + + function copy(val, key) { ++ if (key === '__proto__') { ++ return; ++ } ++ + var obj = this[key]; + if (isObject(val) && isObject(obj)) { + mixinDeep(obj, val); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..9b10403 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2018-3719.diff diff --git a/debian/rules b/debian/rules index 9eb6b18..20809a4 100755 --- a/debian/rules +++ b/debian/rules @@ -5,11 +5,4 @@ #export DH_VERBOSE=1 %: - dh $@ - -#override_dh_auto_build: - -override_dh_auto_test: - mocha -R spec - - + dh $@ --with nodejs diff --git a/debian/tests/control b/debian/tests/control deleted file mode 100644 index 588a506..0000000 --- a/debian/tests/control +++ /dev/null @@ -1,5 +0,0 @@ -Tests: require -Depends: node-mixin-deep - -Test-Command: mocha -R spec -Depends: @, @builddeps@ diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test new file mode 100644 index 0000000..00882e2 --- /dev/null +++ b/debian/tests/pkg-js/test @@ -0,0 +1 @@ +mocha -R spec --timeout 10000 diff --git a/debian/tests/require b/debian/tests/require deleted file mode 100644 index 02a037e..0000000 --- a/debian/tests/require +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -set -e -nodejs -e "require('mixin-deep');" diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..120af8f --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/jonschlinkert/mixin-deep/issues +Contact: https://github.com/jonschlinkert/mixin-deep/issues +Name: mixin-deep +Repository: https://github.com/jonschlinkert/mixin-deep.git +Repository-Browse: https://github.com/jonschlinkert/mixin-deep
