Version in base suite: 4.1.1-1 Base version: node-dot-prop_4.1.1-1 Target version: node-dot-prop_4.1.1-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-dot-prop/node-dot-prop_4.1.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-dot-prop/node-dot-prop_4.1.1-1+deb10u1.dsc changelog | 7 +++ patches/CVE-2020-8116.diff | 90 +++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 98 insertions(+) gpgv: Signature made Tue Jul 18 05:19:57 2017 UTC gpgv: using RSA key 2A7974AE2FC152D77867DA4ACE1F9C674512C22A gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpr4fegvmr/node-dot-prop_4.1.1-1.dsc diff -Nru node-dot-prop-4.1.1/debian/changelog node-dot-prop-4.1.1/debian/changelog --- node-dot-prop-4.1.1/debian/changelog 2017-07-15 13:30:08.000000000 +0000 +++ node-dot-prop-4.1.1/debian/changelog 2020-02-06 05:33:11.000000000 +0000 @@ -1,3 +1,10 @@ +node-dot-prop (4.1.1-1+deb10u1) buster; urgency=medium + + * Team upload + * Add fix for prototype pollution (Closes: CVE-2020-8116) + + -- Xavier Guimard Thu, 06 Feb 2020 06:33:11 +0100 + node-dot-prop (4.1.1-1) unstable; urgency=low * Initial release (Closes: #868441) diff -Nru node-dot-prop-4.1.1/debian/patches/CVE-2020-8116.diff node-dot-prop-4.1.1/debian/patches/CVE-2020-8116.diff --- node-dot-prop-4.1.1/debian/patches/CVE-2020-8116.diff 1970-01-01 00:00:00.000000000 +0000 +++ node-dot-prop-4.1.1/debian/patches/CVE-2020-8116.diff 2020-02-06 05:31:15.000000000 +0000 @@ -0,0 +1,90 @@ +Description: Prevent setting/getting some problematic path components + Fixes CVE-2020-8116 +Author: Sindre Sorhus +Origin: upstream, https://github.com/sindresorhus/dot-prop/commit/3039c8c0 +Bug: https://hackerone.com/reports/719856 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2020-02-06 + +--- a/index.js ++++ b/index.js +@@ -1,6 +1,14 @@ + 'use strict'; + const isObj = require('is-obj'); + ++const disallowedKeys = [ ++ '__proto__', ++ 'prototype', ++ 'constructor' ++]; ++ ++const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment)); ++ + function getPathSegments(path) { + const pathArr = path.split('.'); + const parts = []; +@@ -15,6 +23,9 @@ + + parts.push(p); + } ++ if (!isValidPath(parts)) { ++ return []; ++ } + + return parts; + } +@@ -26,6 +37,9 @@ + } + + const pathArr = getPathSegments(path); ++ if (pathArray.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) { +@@ -57,6 +71,9 @@ + } + + const pathArr = getPathSegments(path); ++ if (pathArray.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + const p = pathArr[i]; +@@ -79,6 +96,9 @@ + } + + const pathArr = getPathSegments(path); ++ if (pathArray.length === 0) { ++ return; ++ } + + for (let i = 0; i < pathArr.length; i++) { + const p = pathArr[i]; +--- a/readme.md ++++ b/readme.md +@@ -79,6 +79,8 @@ + + Use `\\.` if you have a `.` in the key. + ++The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`. ++ + #### value + + Type: `any` +--- a/test.js ++++ b/test.js +@@ -193,3 +193,10 @@ + t.is(m.has({'foo.baz': {bar: true}}, 'foo\\.baz.bar'), true); + t.is(m.has({'fo.ob.az': {bar: true}}, 'fo\\.ob\\.az.bar'), true); + }); ++ ++test('prevent setting/getting `__proto__`', t => { ++ dotProp.set({}, '__proto__.unicorn', 'x'); ++ t.not({}.unicorn, 'x'); // eslint-disable-line no-use-extend-native/no-use-extend-native ++ ++ t.is(dotProp.get({}, '__proto__'), undefined); ++}); diff -Nru node-dot-prop-4.1.1/debian/patches/series node-dot-prop-4.1.1/debian/patches/series --- node-dot-prop-4.1.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-dot-prop-4.1.1/debian/patches/series 2020-02-06 05:29:18.000000000 +0000 @@ -0,0 +1 @@ +CVE-2020-8116.diff