Version in base suite: 6.9.4+ds-1 Base version: node-qs_6.9.4+ds-1 Target version: node-qs_6.9.4+ds-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-qs/node-qs_6.9.4+ds-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-qs/node-qs_6.9.4+ds-1+deb11u1.dsc changelog | 7 +++ patches/CVE-2022-24999.patch | 87 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 95 insertions(+) diff -Nru node-qs-6.9.4+ds/debian/changelog node-qs-6.9.4+ds/debian/changelog --- node-qs-6.9.4+ds/debian/changelog 2020-11-16 16:41:51.000000000 +0000 +++ node-qs-6.9.4+ds/debian/changelog 2022-12-03 19:22:12.000000000 +0000 @@ -1,3 +1,10 @@ +node-qs (6.9.4+ds-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-24999) + + -- Yadd Sat, 03 Dec 2022 20:22:12 +0100 + node-qs (6.9.4+ds-1) unstable; urgency=medium * Team upload diff -Nru node-qs-6.9.4+ds/debian/patches/CVE-2022-24999.patch node-qs-6.9.4+ds/debian/patches/CVE-2022-24999.patch --- node-qs-6.9.4+ds/debian/patches/CVE-2022-24999.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-qs-6.9.4+ds/debian/patches/CVE-2022-24999.patch 2022-12-03 19:22:12.000000000 +0000 @@ -0,0 +1,87 @@ +Description: `parse`: ignore `__proto__` keys +Author: Jordan Harband +Origin: upstream, https://github.com/ljharb/qs/pull/428 +Bug: https://security-tracker.debian.org/tracker/CVE-2022-24999 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-12-03 + +--- a/lib/parse.js ++++ b/lib/parse.js +@@ -135,7 +135,7 @@ + ) { + obj = []; + obj[index] = leaf; +- } else { ++ } else if (cleanRoot !== '__proto__') { + obj[cleanRoot] = leaf; + } + } +--- a/test/parse.js ++++ b/test/parse.js +@@ -768,5 +768,65 @@ + st.end(); + }); + ++ t.test('dunder proto is ignored', function (st) { ++ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; ++ var result = qs.parse(payload, { allowPrototypes: true }); ++ ++ st.deepEqual( ++ result, ++ { ++ categories: { ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload' ++ ); ++ ++ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); ++ ++ st.deepEqual( ++ plainResult, ++ { ++ __proto__: null, ++ categories: { ++ __proto__: null, ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload: plain objects' ++ ); ++ ++ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); ++ ++ st.notOk(Array.isArray(query.categories), 'is not an array'); ++ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); ++ st.deepEqual(query.categories, { some: { json: 'toInject' } }); ++ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), ++ { ++ foo: { ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values' ++ ); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), ++ { ++ __proto__: null, ++ foo: { ++ __proto__: null, ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values: plain objects' ++ ); ++ ++ st.end(); ++ }); ++ + t.end(); + }); diff -Nru node-qs-6.9.4+ds/debian/patches/series node-qs-6.9.4+ds/debian/patches/series --- node-qs-6.9.4+ds/debian/patches/series 2019-10-20 13:52:31.000000000 +0000 +++ node-qs-6.9.4+ds/debian/patches/series 2022-12-03 19:22:12.000000000 +0000 @@ -1 +1,2 @@ use-lodash-forEach-in-test.diff +CVE-2022-24999.patch