Version in base suite: 2.1.3-2 Base version: node-json5_2.1.3-2 Target version: node-json5_2.1.3-2+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-json5/node-json5_2.1.3-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-json5/node-json5_2.1.3-2+deb11u1.dsc changelog | 7 +++ patches/CVE-2022-46175.patch | 91 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 99 insertions(+) diff -Nru node-json5-2.1.3/debian/changelog node-json5-2.1.3/debian/changelog --- node-json5-2.1.3/debian/changelog 2020-11-09 18:24:23.000000000 +0000 +++ node-json5-2.1.3/debian/changelog 2023-01-16 03:34:31.000000000 +0000 @@ -1,3 +1,10 @@ +node-json5 (2.1.3-2+deb11u1) bullseye; urgency=medium + + * Team upload + * add __proto__ to objects and arrays (Closes: CVE-2022-46175) + + -- Yadd Mon, 16 Jan 2023 07:34:31 +0400 + node-json5 (2.1.3-2) unstable; urgency=medium * Team upload. diff -Nru node-json5-2.1.3/debian/patches/CVE-2022-46175.patch node-json5-2.1.3/debian/patches/CVE-2022-46175.patch --- node-json5-2.1.3/debian/patches/CVE-2022-46175.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-json5-2.1.3/debian/patches/CVE-2022-46175.patch 2023-01-16 03:34:31.000000000 +0000 @@ -0,0 +1,91 @@ +Description: add __proto__ to objects and arrays +Author: Jordan Tucker +Origin: upstream, https://github.com/json5/json5/commit/4a8c4568 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2023-01-16 + +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -340,5 +340,6 @@ + [#182]: https://github.com/json5/json5/issues/182 + [#187]: https://github.com/json5/json5/issues/187 + [#196]: https://github.com/json5/json5/issues/196 ++[#199]: https://github.com/json5/json5/issues/199 + [#208]: https://github.com/json5/json5/issues/208 + [#210]: https://github.com/json5/json5/issues/210 +--- a/lib/parse.js ++++ b/lib/parse.js +@@ -41,15 +41,35 @@ + + function internalize (holder, name, reviver) { + const value = holder[name] +- if (value != null && typeof value === 'object') { +- for (const key in value) { +- const replacement = internalize(value, key, reviver) +- if (replacement === undefined) { +- delete value[key] +- } else { +- value[key] = replacement +- } ++ if (Array.isArray(value)) { ++ for (let i = 0; i < value.length; i++) { ++ const key = String(i) ++ const replacement = internalize(value, key, reviver) ++ if (replacement === undefined) { ++ delete value[key] ++ } else { ++ Object.defineProperty(value, key, { ++ value: replacement, ++ writable: true, ++ enumerable: true, ++ configurable: true, ++ }) ++ } ++ } ++ } else { ++ for (const key in value) { ++ const replacement = internalize(value, key, reviver) ++ if (replacement === undefined) { ++ delete value[key] ++ } else { ++ Object.defineProperty(value, key, { ++ value: replacement, ++ writable: true, ++ enumerable: true, ++ configurable: true, ++ }) + } ++ } + } + + return reviver.call(holder, name, value) +@@ -973,7 +993,12 @@ + if (Array.isArray(parent)) { + parent.push(value) + } else { +- parent[key] = value ++ Object.defineProperty(parent, key, { ++ value, ++ writable: true, ++ enumerable: true, ++ configurable: true, ++ }) + } + } + +--- a/test/parse.js ++++ b/test/parse.js +@@ -293,6 +293,12 @@ + ) + + t.strictSame( ++ JSON5.parse('{"__proto__":1}').__proto__, ++ 1, ++ 'preserves __proto__ property names', ++ ) ++ ++ t.strictSame( + JSON5.parse('{a:{b:2}}', (k, v) => (k === 'b') ? 'revived' : v), + {a: {b: 'revived'}}, + 'modifies nested object property values' diff -Nru node-json5-2.1.3/debian/patches/series node-json5-2.1.3/debian/patches/series --- node-json5-2.1.3/debian/patches/series 2020-11-09 18:24:23.000000000 +0000 +++ node-json5-2.1.3/debian/patches/series 2023-01-16 03:34:31.000000000 +0000 @@ -1,2 +1,3 @@ update-unicode.diff ship_typescript_definitions.patch +CVE-2022-46175.patch