Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

Mon, 04 May 2020 13:06:20 -0700 

Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit :
> Hi,
> 
> let me reply before adsb has a chance ;)
> 
> On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote:
>> Finally I found a way to fix CVE and keep autopkgtest OK
>> (node-markdown-it-html5-embed). Here is a debdiff for a future point release
> 
> This is good, however,
> 
>> diff --git a/debian/changelog b/debian/changelog
>> index b985661..64df8db 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,11 @@
>> +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
>> +
>> +  * Team upload
>> +  * Disallow calling "helperMissing" and "blockHelperMissing" directly
>> +    (Closes: CVE-2019-19919)
>> +
>> + -- Xavier Guimard <y...@debian.org>  Mon, 04 May 2020 14:21:11 +0200
> 
> By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, and
> it can't really be removed from there and replaced by a same-versined
> pacakge.
> 
> Please prepare a +deb10u2 version, and post here a debdiff against the
> already uploaded +deb10u1 one.

Is it good so ?

diff --git a/debian/changelog b/debian/changelog
index 95811b9..e49c409 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-handlebars (3:4.1.0-1+deb10u2) buster; urgency=medium
+
+  * Fix regression introduced in 3:4.1.0-1+deb10u1
+
+ -- Xavier Guimard <y...@debian.org>  Mon, 04 May 2020 22:01:16 +0200
+
 node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2019-19919.patch 
b/debian/patches/CVE-2019-19919.patch
index f63f106..d34e77a 100644
--- a/debian/patches/CVE-2019-19919.patch
+++ b/debian/patches/CVE-2019-19919.patch
@@ -75,6 +75,21 @@ Last-Update: 2019-12-30
        );
      }
  
+--- a/lib/handlebars/helpers.js
++++ b/lib/handlebars/helpers.js
+@@ -15,3 +15,12 @@
+   registerLookup(instance);
+   registerWith(instance);
+ }
++
++export function moveHelperToHooks(instance, helperName, keepHelper) {
++  if (instance.helpers[helperName]) {
++    instance.hooks[helperName] = instance.helpers[helperName];
++    if (!keepHelper) {
++      delete instance.helpers[helperName];
++    }
++  }
++}
 --- a/lib/handlebars/runtime.js
 +++ b/lib/handlebars/runtime.js
 @@ -1,6 +1,7 @@

Reply via email to