Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, node-kind-of is vulnerable to CVE-2019-20149: it allows external user input to overwrite certain internal attributes via a conflicting name. This little patch fixes this issue. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index f69a6ac..93d28bf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-kind-of (6.0.2+dfsg-1+deb10u1) buster; urgency=medium + + * Team upload + * fix type checking vul in ctorName (Closes: #948095, CVE-2019-20149) + + -- Xavier Guimard <y...@debian.org> Fri, 17 Jan 2020 06:19:37 +0100 + node-kind-of (6.0.2+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2019-20149.diff b/debian/patches/CVE-2019-20149.diff new file mode 100644 index 0000000..0129c8e --- /dev/null +++ b/debian/patches/CVE-2019-20149.diff @@ -0,0 +1,20 @@ +Description: fix type checking vul in ctorName + CVE-2019-20149 +Author: Brian Woodward +Bug: https://github.com/jonschlinkert/kind-of/pull/30 +Bug-Debian: https://bugs.debian.org/948095 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-01-17 + +--- a/index.js ++++ b/index.js +@@ -66,7 +66,7 @@ + }; + + function ctorName(val) { +- return val.constructor ? val.constructor.name : null; ++ return typeof val.constructor === 'function' ? val.constructor.name : null; + } + + function isArray(val) { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..4228152 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2019-20149.diff
