Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-xml...@packages.debian.org Control: affects -1 + src:node-xml2js
Please unblock package node-xml2js [ Reason ] node-xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object (#1034148, CVE-2023-0842) [ Impact ] Medium security issue [ Tests ] Test updates, passed [ Risks ] Low risk, patch is trivial and tested [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-xml2js/0.4.23+~cs15.4.0+dfsg-5
diff --git a/debian/changelog b/debian/changelog index 98492d7..9d9dac7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium + + * Team upload + * Update standards version to 4.6.2, no changes needed. + * Update nodejs dependency to nodejs:any + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd <y...@debian.org> Fri, 21 Apr 2023 11:11:13 +0400 + node-xml2js (0.4.23+~cs15.4.0+dfsg-4) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index dc4d6d0..406a88d 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: , node-sax <!nocheck> , dh-sequence-nodejs , node-diff -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-xml2js Vcs-Git: https://salsa.debian.org/js-team/node-xml2js.git Homepage: https://github.com/Leonidas-from-XIV/node-xml2js @@ -21,8 +21,8 @@ Architecture: all Depends: ${misc:Depends} , node-sax - , nodejs , node-diff + , nodejs:any Provides: ${nodejs:Provides} Description: simple XML to JavaScript object converter - Node.js module xml2js parses XML using node-sax and converts it to a plain JavaScript diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch new file mode 100644 index 0000000..3d80ed9 --- /dev/null +++ b/debian/patches/CVE-2023-0842.patch @@ -0,0 +1,103 @@ +Description: use Object.create(null) to create all parsed objects + (prevent prototype replacement) +Author: James Crosby <ja...@coggle.it> +Origin: upstream, commit:581b19a6 +Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc +Bug-Debian: https://bugs.debian.org/1034148 +Forwarded: not-needed +Applied-Upstream: 0.5.0, commit:581b19a6 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-04-21 + +--- a/src/parser.coffee ++++ b/src/parser.coffee +@@ -103,12 +103,12 @@ + charkey = @options.charkey + + @saxParser.onopentag = (node) => +- obj = {} ++ obj = Object.create(null) + obj[charkey] = "" + unless @options.ignoreAttrs + for own key of node.attributes + if attrkey not of obj and not @options.mergeAttrs +- obj[attrkey] = {} ++ obj[attrkey] = Object.create(null) + newValue = if @options.attrValueProcessors then processItem(@options.attrValueProcessors, node.attributes[key], key) else node.attributes[key] + processedKey = if @options.attrNameProcessors then processItem(@options.attrNameProcessors, key) else key + if @options.mergeAttrs +@@ -161,7 +161,7 @@ + # put children into <childkey> property and unfold chars if necessary + if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object' + if not @options.preserveChildrenOrder +- node = {} ++ node = Object.create(null) + # separate attributes + if @options.attrkey of obj + node[@options.attrkey] = obj[@options.attrkey] +@@ -179,7 +179,7 @@ + # append current node onto parent's <childKey> array + s[@options.childkey] = s[@options.childkey] or [] + # push a clone so that the node in the children array can receive the #name property while the original obj can do without it +- objClone = {} ++ objClone = Object.create(null) + for own key of obj + objClone[key] = obj[key] + s[@options.childkey].push objClone +@@ -196,7 +196,7 @@ + if @options.explicitRoot + # avoid circular references + old = obj +- obj = {} ++ obj = Object.create(null) + obj[nodeName] = old + + @resultObject = obj +--- a/test/parser.test.coffee ++++ b/test/parser.test.coffee +@@ -531,13 +531,13 @@ + + 'test single attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase], (r)-> + console.log 'Result object: ' + util.inspect r, false, 10 +- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'), true +- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'), true) ++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAMELCASEATTR'), true ++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWERCASEATTR'), true) + + 'test multiple attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase, nameCutoff], (r)-> + console.log 'Result object: ' + util.inspect r, false, 10 +- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAME'), true +- equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWE'), true) ++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAME'), true ++ equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'LOWE'), true) + + 'test single attrValueProcessors': skeleton(attrValueProcessors: [nameToUpperCase], (r)-> + console.log 'Result object: ' + util.inspect r, false, 10 +@@ -559,21 +559,21 @@ + + 'test single tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase], (r)-> + console.log 'Result object: ' + util.inspect r, false, 10 +- equ r.hasOwnProperty('SAMPLE'), true +- equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true) ++ equ {}.hasOwnProperty.call(r, 'SAMPLE'), true ++ equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true) + + 'test single tagNameProcessors in simple callback': (test) -> + fs.readFile fileName, (err, data) -> + xml2js.parseString data, tagNameProcessors: [nameToUpperCase], (err, r)-> + console.log 'Result object: ' + util.inspect r, false, 10 +- equ r.hasOwnProperty('SAMPLE'), true +- equ r.SAMPLE.hasOwnProperty('TAGNAMEPROCESSTEST'), true ++ equ {}.hasOwnProperty.call(r, 'SAMPLE'), true ++ equ {}.hasOwnProperty.call(r.SAMPLE, 'TAGNAMEPROCESSTEST'), true + test.finish() + + 'test multiple tagNameProcessors': skeleton(tagNameProcessors: [nameToUpperCase, nameCutoff], (r)-> + console.log 'Result object: ' + util.inspect r, false, 10 +- equ r.hasOwnProperty('SAMP'), true +- equ r.SAMP.hasOwnProperty('TAGN'), true) ++ equ {}.hasOwnProperty.call(r, 'SAMP'), true ++ equ {}.hasOwnProperty.call(r.SAMP, 'TAGN'), true) + + 'test attrValueProcessors key param': skeleton(attrValueProcessors: [replaceValueByName], (r)-> + console.log 'Result object: ' + util.inspect r, false, 10 diff --git a/debian/patches/series b/debian/patches/series index 2840ff2..c9bf5bb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ fix-for-coffeescript-2.patch drop-test-not-compatible-with-coffe-2.patch +CVE-2023-0842.patch
