Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-xml...@packages.debian.org
Control: affects -1 + src:node-xml2js
[ Reason ]
node-xml2js version 0.4.23 allows an external attacker to edit or add new
properties to an object (#1034148, CVE-2023-0842)
[ Impact ]
Medium security issue
[ Tests ]
Sadly test are not enabled in Bullseye
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace {} by Object.create(null)
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 628f69a..106d13b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd <y...@debian.org> Fri, 21 Apr 2023 11:33:31 +0400
+
node-xml2js (0.2.8-1) unstable; urgency=low
* Upstream update
diff --git a/debian/patches/CVE-2023-0842.patch
b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 0000000..cd03e08
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,46 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby <ja...@coggle.it>
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-04-21
+
+--- a/src/xml2js.coffee
++++ b/src/xml2js.coffee
+@@ -105,12 +105,12 @@
+ charkey = @options.charkey
+
+ @saxParser.onopentag = (node) =>
+- obj = {}
++ obj = Object.create(null)
+ obj[charkey] = ""
+ unless @options.ignoreAttrs
+ for own key of node.attributes
+ if attrkey not of obj and not @options.mergeAttrs
+- obj[attrkey] = {}
++ obj[attrkey] = Object.create(null)
+ if @options.mergeAttrs
+ obj[key] = node.attributes[key]
+ else
+@@ -158,7 +158,7 @@
+
+ # put children into <childkey> property and unfold chars if necessary
+ if @options.explicitChildren and not @options.mergeAttrs and typeof obj
is 'object'
+- node = {}
++ node = Object.create(null)
+ # separate attributes
+ if @options.attrkey of obj
+ node[@options.attrkey] = obj[@options.attrkey]
+@@ -193,7 +193,7 @@
+ if @options.explicitRoot
+ # avoid circular references
+ old = obj
+- obj = {}
++ obj = Object.create(null)
+ obj[nodeName] = old
+
+ @resultObject = obj
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6b5589b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-0842.patch
