Bug#994490: marked as done (bullseye-pu: package node-set-value/3.0.1-2+deb11u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#994490: marked as done (bullseye-pu: package node-set-value/3.0.1-2+deb11u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 09 Oct 2021 11:13:21 +0000
Message-id: <[🔎] handler.994490.D994490.163377783128736.ackdone@bugs.debian.org>
Reply-to: 994490@bugs.debian.org
References: <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk> <163180931165.336235.4621289043902095480.reportbug@deb007.xnr.fr>

Your message dated Sat, 09 Oct 2021 12:09:40 +0100
with message-id <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 11.1
has caused the Debian Bug report #994490,
regarding bullseye-pu: package node-set-value/3.0.1-2+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
994490: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994490
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bullseye-pu: package node-set-value/3.0.1-2+deb11u1
From: Yadd <yadd@debian.org>
Date: Thu, 16 Sep 2021 18:21:51 +0200
Message-id: <163180931165.336235.4621289043902095480.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-devel@lists.alioth.debian.org

[ Reason ]
node-set-value is vulnerable to prototype pollution (#994448, CVE-2021-23440)

[ Impact ]
Medium vulnerability

[ Tests ]
New test added, inspired from PoC

[ Risks ]
No risk, patch itself is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
New check to verify key

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index a836bdb..1ae7498 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-set-value (3.0.1-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #994448, CVE-2021-23440)
+  * Add test for CVE-2021-23440
+
+ -- Yadd <yadd@debian.org>  Thu, 16 Sep 2021 18:17:19 +0200
+
 node-set-value (3.0.1-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-23440.patch b/debian/patches/CVE-2021-23440.patch
new file mode 100644
index 0000000..55a96f3
--- /dev/null
+++ b/debian/patches/CVE-2021-23440.patch
@@ -0,0 +1,20 @@
+Description: fix prototype pollution
+ Inspired from https://github.com/jonschlinkert/set-value/pull/33/files
+Author: Yadd <yadd@debian.org>
+Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541
+Bug-Debian: https://bugs.debian.org/994448
+Forwarded: not-needed
+Last-Update: 2021-09-16
+
+--- a/index.js
++++ b/index.js
+@@ -99,6 +99,9 @@
+ }
+ 
+ function isValidKey(key) {
++  if (typeof key !== 'string' && typeof key !== 'number') {
++    key = String(key)
++  }
+   return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..22df165
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23440.patch
diff --git a/debian/tests/CVE-2021-23440 b/debian/tests/CVE-2021-23440
new file mode 100755
index 0000000..d756ed2
--- /dev/null
+++ b/debian/tests/CVE-2021-23440
@@ -0,0 +1,3 @@
+if node debian/tests/CVE-2021-23440.js; then
+	exit 1;
+fi
diff --git a/debian/tests/CVE-2021-23440.js b/debian/tests/CVE-2021-23440.js
new file mode 100644
index 0000000..177f1d3
--- /dev/null
+++ b/debian/tests/CVE-2021-23440.js
@@ -0,0 +1,9 @@
+const set = require("set-value")
+
+// set({}, ['__proto__','polluted'], 'yes');
+// console.log(polluted); // Error: Cannot set unsafe key: "__proto__"
+
+set({}, [['__proto__'],'polluted'], 'yes');
+if(polluted && polluted === 'yes') {
+  console.error('Vulnerable to CVE-2021-23440');
+}
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..b9d4e6c
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
+Tests: CVE-2021-23440
+Depends: @, nodejs
+Restrictions: allow-stderr

--- End Message ---

--- Begin Message ---

To: 992063-done@bugs.debian.org, 992078-done@bugs.debian.org, 992114-done@bugs.debian.org, 992153-done@bugs.debian.org, 992206-done@bugs.debian.org, 992299-done@bugs.debian.org, 992435-done@bugs.debian.org, 992547-done@bugs.debian.org, 992693-done@bugs.debian.org, 992836-done@bugs.debian.org, 992843-done@bugs.debian.org, 992956-done@bugs.debian.org, 992978-done@bugs.debian.org, 993035-done@bugs.debian.org, 993049-done@bugs.debian.org, 993133-done@bugs.debian.org, 993225-done@bugs.debian.org, 993276-done@bugs.debian.org, 993281-done@bugs.debian.org, 993282-done@bugs.debian.org, 993283-done@bugs.debian.org, 993396-done@bugs.debian.org, 993489-done@bugs.debian.org, 993523-done@bugs.debian.org, 993564-done@bugs.debian.org, 993604-done@bugs.debian.org, 993639-done@bugs.debian.org, 993655-done@bugs.debian.org, 993656-done@bugs.debian.org, 993708-done@bugs.debian.org, 993720-done@bugs.debian.org, 993792-done@bugs.debian.org, 993793-done@bugs.debian.org, 993822-done@bugs.debian.org, 993825-done@bugs.debian.org, 993899-done@bugs.debian.org, 993968-done@bugs.debian.org, 994022-done@bugs.debian.org, 994107-done@bugs.debian.org, 994111-done@bugs.debian.org, 994112-done@bugs.debian.org, 994147-done@bugs.debian.org, 994490-done@bugs.debian.org, 994555-done@bugs.debian.org, 994574-done@bugs.debian.org, 994627-done@bugs.debian.org, 994709-done@bugs.debian.org, 994710-done@bugs.debian.org, 994828-done@bugs.debian.org, 994861-done@bugs.debian.org, 994880-done@bugs.debian.org, 994881-done@bugs.debian.org, 994885-done@bugs.debian.org, 994907-done@bugs.debian.org, 994946-done@bugs.debian.org, 995025-done@bugs.debian.org, 995062-done@bugs.debian.org, 995075-done@bugs.debian.org, 995144-done@bugs.debian.org, 995237-done@bugs.debian.org, 995304-done@bugs.debian.org, 995306-done@bugs.debian.org, 995331-done@bugs.debian.org, 995469-done@bugs.debian.org, 995481-done@bugs.debian.org, 994097-done@bugs.debian.org

Subject: Closing p-u bugs for updates in 11.1

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 09 Oct 2021 12:09:40 +0100

Message-id: <81741a2f4e370c14a3bec08b7fe6e2b10c32267b.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 11.1

Hi,

The updates relating to these bugs were included in this morning's 11.1
point release for bullseye.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#994555: marked as done (bullseye-pu: package node-object-path/0.11.5-3+deb11u1)
Next by Date: Bug#994627: marked as done (bullseye-pu: package debian-edu-config/2.11.56+deb11u1)
Previous by thread: Bug#994555: marked as done (bullseye-pu: package node-object-path/0.11.5-3+deb11u1)
Next by thread: Bug#994627: marked as done (bullseye-pu: package debian-edu-config/2.11.56+deb11u1)
Index(es):
- Date
- Thread