Version in base suite: 1.1.1-1

Base version: node-dot_1.1.1-1
Target version: node-dot_1.1.1-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-dot/node-dot_1.1.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-dot/node-dot_1.1.1-1+deb10u1.dsc

 changelog                      |    8 ++++++++
 patches/CVE-2020-8141.diff     |   21 +++++++++++++++++++++
 patches/series                 |    1 +
 rules                          |    4 ++++
 tests/control                  |    3 +++
 tests/cve-2020-8141            |    9 +++++++++
 tests/cve-2020-8141.js         |    3 +++
 tests/resources/mytemplate.dot |    1 +
 8 files changed, 50 insertions(+)

gpgv: Signature made Wed May 10 07:24:01 2017 UTC
gpgv:                using RSA key 2A7974AE2FC152D77867DA4ACE1F9C674512C22A
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmpo1jk1cix/node-dot_1.1.1-1.dsc
diff -Nru node-dot-1.1.1/debian/changelog node-dot-1.1.1/debian/changelog
--- node-dot-1.1.1/debian/changelog	2017-05-10 06:03:56.000000000 +0000
+++ node-dot-1.1.1/debian/changelog	2020-03-21 08:23:57.000000000 +0000
@@ -1,3 +1,11 @@
+node-dot (1.1.1-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Add CVE-2020-8141 test
+  * Prevent code execution after prototype pollution (Closes: CVE-2020-8141)
+
+ -- Xavier Guimard <yadd@debian.org>  Sat, 21 Mar 2020 09:23:57 +0100
+
 node-dot (1.1.1-1) unstable; urgency=low
 
   * Initial release (Closes: #862235)
diff -Nru node-dot-1.1.1/debian/patches/CVE-2020-8141.diff node-dot-1.1.1/debian/patches/CVE-2020-8141.diff
--- node-dot-1.1.1/debian/patches/CVE-2020-8141.diff	1970-01-01 00:00:00.000000000 +0000
+++ node-dot-1.1.1/debian/patches/CVE-2020-8141.diff	2020-03-21 08:23:57.000000000 +0000
@@ -0,0 +1,21 @@
+Description: fix for CVE-2020-8141
+ prevent possibility of execution of the code injected via prototype pollution
+ when undefined is passed to compiled template function
+Author: Evgeny Poberezkin
+Origin: upstream, https://github.com/olado/doT/commit/2cf222683
+Bug: https://github.com/olado/doT/issues/291
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-03-21
+
+--- a/index.js
++++ b/index.js
+@@ -42,7 +42,7 @@
+ 	if (this.__destination[this.__destination.length-1] !== '/') this.__destination += '/';
+ 	this.__global		= o.global || "window.render";
+ 	this.__rendermodule	= o.rendermodule || {};
+-	this.__settings 	= o.templateSettings ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
++	this.__settings         = Object.prototype.hasOwnProperty.call(o,"templateSettings") ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
+ 	this.__includes		= {};
+ }
+ 
diff -Nru node-dot-1.1.1/debian/patches/series node-dot-1.1.1/debian/patches/series
--- node-dot-1.1.1/debian/patches/series	2017-05-10 06:03:56.000000000 +0000
+++ node-dot-1.1.1/debian/patches/series	2020-03-21 08:23:57.000000000 +0000
@@ -1 +1,2 @@
 use-nodejs.patch
+CVE-2020-8141.diff
diff -Nru node-dot-1.1.1/debian/rules node-dot-1.1.1/debian/rules
--- node-dot-1.1.1/debian/rules	2017-05-10 06:03:56.000000000 +0000
+++ node-dot-1.1.1/debian/rules	2020-03-21 08:23:57.000000000 +0000
@@ -11,3 +11,7 @@
 
 override_dh_auto_test:
 	mocha -R spec test/*.test.js
+	mkdir node_modules
+	ln -s .. node_modules/dot
+	sh -ex debian/tests/cve-2020-8141
+	rm -rf node_modules
diff -Nru node-dot-1.1.1/debian/tests/control node-dot-1.1.1/debian/tests/control
--- node-dot-1.1.1/debian/tests/control	2017-05-10 06:03:56.000000000 +0000
+++ node-dot-1.1.1/debian/tests/control	2020-03-21 08:23:57.000000000 +0000
@@ -3,3 +3,6 @@
 
 Test-Command: mocha -R spec test/*.test.js
 Depends: @, mocha
+
+Tests: cve-2020-8141
+Depends: @, nodejs
diff -Nru node-dot-1.1.1/debian/tests/cve-2020-8141 node-dot-1.1.1/debian/tests/cve-2020-8141
--- node-dot-1.1.1/debian/tests/cve-2020-8141	1970-01-01 00:00:00.000000000 +0000
+++ node-dot-1.1.1/debian/tests/cve-2020-8141	2020-03-21 08:13:36.000000000 +0000
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+cd debian/tests
+if node ./cve-2020-8141.js | grep 25; then
+	echo "node-dot is vulnerable to CVE 2020-8141"
+	exit 1
+else
+	echo "node-dot seems patched"
+fi
diff -Nru node-dot-1.1.1/debian/tests/cve-2020-8141.js node-dot-1.1.1/debian/tests/cve-2020-8141.js
--- node-dot-1.1.1/debian/tests/cve-2020-8141.js	1970-01-01 00:00:00.000000000 +0000
+++ node-dot-1.1.1/debian/tests/cve-2020-8141.js	2020-03-21 08:13:36.000000000 +0000
@@ -0,0 +1,3 @@
+var doT = require("dot"); // prototype pollution attack vector
+Object.prototype.templateSettings = {varname:"a,b,c,d,x=console.log(25)"}; // benign looking template compilation + application
+var dots = require("dot").process({path: "./resources"}); dots.mytemplate();
diff -Nru node-dot-1.1.1/debian/tests/resources/mytemplate.dot node-dot-1.1.1/debian/tests/resources/mytemplate.dot
--- node-dot-1.1.1/debian/tests/resources/mytemplate.dot	1970-01-01 00:00:00.000000000 +0000
+++ node-dot-1.1.1/debian/tests/resources/mytemplate.dot	2020-03-21 08:13:36.000000000 +0000
@@ -0,0 +1 @@
+html <h1>Here is a sample template</h1>