Bug#953763: buster-pu: package node-minimist/1.2.0-1+deb10u1

Thu, 12 Mar 2020 23:27:52 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

node-minimist is vulnerable to prototype pollution. I fixed this using
whole 1.2.0-to-1.2.5 diff (very little) since only prototype related
issues have been fixed.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 8406b1a..327fcb5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-minimist (1.2.0-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #953762, CVE-2020-7598)
+
+ -- Xavier Guimard <y...@debian.org>  Fri, 13 Mar 2020 07:18:52 +0100
+
 node-minimist (1.2.0-1) unstable; urgency=medium
 
   * New upstream release
diff --git a/debian/patches/CVE-2020-7598.diff 
b/debian/patches/CVE-2020-7598.diff
new file mode 100644
index 0000000..6ec3bb8
--- /dev/null
+++ b/debian/patches/CVE-2020-7598.diff
@@ -0,0 +1,43 @@
+Description: fix for CVE-2020-7598 (prototype pollution)
+ Import whole 1.2.5 changes
+Author: Xavier Guimard
+Bug: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
+Bug-Debian: https://bugs.debian.org/953762
+Forwarded: not-needed
+Last-Update: 2020-03-13
+
+--- a/index.js
++++ b/index.js
+@@ -68,12 +68,21 @@
+ 
+     function setKey (obj, keys, value) {
+         var o = obj;
+-        keys.slice(0,-1).forEach(function (key) {
++        for (var i = 0; i < keys.length-1; i++) {
++            var key = keys[i];
++            if (key === '__proto__') return;
+             if (o[key] === undefined) o[key] = {};
++            if (o[key] === Object.prototype || o[key] === Number.prototype
++                || o[key] === String.prototype) o[key] = {};
++            if (o[key] === Array.prototype) o[key] = [];
+             o = o[key];
+-        });
++        }
+ 
+         var key = keys[keys.length - 1];
++        if (key === '__proto__') return;
++        if (o === Object.prototype || o === Number.prototype
++            || o === String.prototype) o = {};
++        if (o === Array.prototype) o = [];
+         if (o[key] === undefined || flags.bools[key] || typeof o[key] === 
'boolean') {
+             o[key] = value;
+         }
+@@ -171,7 +180,7 @@
+                     setArg(key, args[i+1], arg);
+                     i++;
+                 }
+-                else if (args[i+1] && /true|false/.test(args[i+1])) {
++                else if (args[i+1] && /^(true|false)$/.test(args[i+1])) {
+                     setArg(key, args[i+1] === 'true', arg);
+                     i++;
+                 }
diff --git a/debian/patches/series b/debian/patches/series
index 81a5e8e..01db0e3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 nodejs.patch
+CVE-2020-7598.diff

Reply via email to