Version in base suite: 11.1.1-1 Base version: node-yargs-parser_11.1.1-1 Target version: node-yargs-parser_11.1.1-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-yargs-parser/node-yargs-parser_11.1.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-yargs-parser/node-yargs-parser_11.1.1-1+deb10u1.dsc changelog | 7 ++++++ patches/CVE-2020-7608.diff | 51 +++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 rules | 4 +++ tests/CVE-2020-7608.js | 3 ++ 5 files changed, 66 insertions(+) diff -Nru node-yargs-parser-11.1.1/debian/changelog node-yargs-parser-11.1.1/debian/changelog --- node-yargs-parser-11.1.1/debian/changelog 2019-01-22 16:13:30.000000000 +0000 +++ node-yargs-parser-11.1.1/debian/changelog 2020-03-24 09:22:44.000000000 +0000 @@ -1,3 +1,10 @@ +node-yargs-parser (11.1.1-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution and add test (Closes: CVE-2020-7608) + + -- Xavier Guimard Tue, 24 Mar 2020 10:22:44 +0100 + node-yargs-parser (11.1.1-1) unstable; urgency=medium [ Utkarsh Gupta ] diff -Nru node-yargs-parser-11.1.1/debian/patches/CVE-2020-7608.diff node-yargs-parser-11.1.1/debian/patches/CVE-2020-7608.diff --- node-yargs-parser-11.1.1/debian/patches/CVE-2020-7608.diff 1970-01-01 00:00:00.000000000 +0000 +++ node-yargs-parser-11.1.1/debian/patches/CVE-2020-7608.diff 2020-03-24 09:22:44.000000000 +0000 @@ -0,0 +1,51 @@ +Description: fix prototype pollution +Author: Benjamin E. Coe +Bug: https://github.com/yargs/yargs-parser/pull/258 + https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2020-03-24 + +--- a/index.js ++++ b/index.js +@@ -618,10 +618,11 @@ + if (!configuration['dot-notation']) keys = [keys.join('.')] + + keys.slice(0, -1).forEach(function (key) { +- o = (o[key] || {}) ++ key = sanitizeKey(key) ++ o = (o[key]) + }) + +- var key = keys[keys.length - 1] ++ var key = sanitizeKey(keys[keys.length - 1]) + + if (typeof o !== 'object') return false + else return key in o +@@ -633,6 +634,7 @@ + if (!configuration['dot-notation']) keys = [keys.join('.')] + + keys.slice(0, -1).forEach(function (key, index) { ++ key = sanitizeKey(key) + if (typeof o === 'object' && o[key] === undefined) { + o[key] = {} + } +@@ -652,7 +654,7 @@ + } + }) + +- var key = keys[keys.length - 1] ++ var key = sanitizeKey(keys[keys.length - 1]) + + var isTypeArray = checkAllAliases(keys.join('.'), flags.arrays) + var isValueArray = Array.isArray(value) +@@ -863,4 +865,9 @@ + return parse(args.slice(), opts) + } + ++function sanitizeKey (key) { ++ if (key === '__proto__') return '___proto___' ++ return key ++} ++ + module.exports = Parser diff -Nru node-yargs-parser-11.1.1/debian/patches/series node-yargs-parser-11.1.1/debian/patches/series --- node-yargs-parser-11.1.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-yargs-parser-11.1.1/debian/patches/series 2020-03-24 09:22:44.000000000 +0000 @@ -0,0 +1 @@ +CVE-2020-7608.diff diff -Nru node-yargs-parser-11.1.1/debian/rules node-yargs-parser-11.1.1/debian/rules --- node-yargs-parser-11.1.1/debian/rules 2019-01-22 16:08:26.000000000 +0000 +++ node-yargs-parser-11.1.1/debian/rules 2020-03-24 09:22:44.000000000 +0000 @@ -10,4 +10,8 @@ override_dh_auto_test: ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) mocha test/*.js + if node debian/tests/CVE-2020-7608.js|egrep ^baz; then \ + echo "Vulnerable to CVE-2020-7608"; \ + exit 1; \ + fi endif diff -Nru node-yargs-parser-11.1.1/debian/tests/CVE-2020-7608.js node-yargs-parser-11.1.1/debian/tests/CVE-2020-7608.js --- node-yargs-parser-11.1.1/debian/tests/CVE-2020-7608.js 1970-01-01 00:00:00.000000000 +0000 +++ node-yargs-parser-11.1.1/debian/tests/CVE-2020-7608.js 2020-03-24 09:22:44.000000000 +0000 @@ -0,0 +1,3 @@ +const parser = require("../.."); +console.log(parser('--foo.__proto__.bar baz')); +console.log(({}).bar);