Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

node-ini: CVE-2020-7788

Related Vulnerabilities: CVE-2020-7788  

Source

Debian Bug report logs - #977718
node-ini: CVE-2020-7788

version graph

Package: src:node-ini; Maintainer for src:node-ini is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 19 Dec 2020 14:21:02 UTC

Severity: important

Tags: security, upstream

Found in version node-ini/1.3.5-1

Fixed in version node-ini/2.0.0-1

Done: Xavier Guimard <yadd@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#977718; Package src:node-ini. (Sat, 19 Dec 2020 14:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Sat, 19 Dec 2020 14:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: node-ini: CVE-2020-7788
Date: Sat, 19 Dec 2020 15:17:58 +0100
Source: node-ini
Version: 1.3.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for node-ini.

CVE-2020-7788[0]:
| This affects the package ini before 1.3.6. If an attacker submits a
| malicious INI file to an application that parses it with ini.parse,
| they will pollute the prototype on the application. This can be
| exploited further depending on the context.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-7788
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788
[1] https://snyk.io/vuln/SNYK-JS-INI-1048974
[2] https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1

Regards,
Salvatore

Reply sent to Xavier Guimard <yadd@debian.org>:
You have taken responsibility. (Sat, 19 Dec 2020 18:39:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 19 Dec 2020 18:39:05 GMT) (full text, mbox, link).

Message #10 received at 977718-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 977718-close@bugs.debian.org
Subject: Bug#977718: fixed in node-ini 2.0.0-1
Date: Sat, 19 Dec 2020 18:35:42 +0000
Source: node-ini
Source-Version: 2.0.0-1
Done: Xavier Guimard <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-ini, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 977718@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-ini package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 19 Dec 2020 18:52:24 +0100
Source: node-ini
Architecture: source
Version: 2.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 977718
Changes:
 node-ini (2.0.0-1) unstable; urgency=medium
 .
   * Team upload
 .
   [ Debian Janitor ]
   * Trim trailing whitespace.
   * Use secure copyright file specification URI.
   * Bump debhelper from old 11 to 12.
   * Set debhelper-compat version in Build-Depends.
   * Set upstream metadata fields: Bug-Database, Repository, Repository-
     Browse.
   * Set upstream metadata fields: Bug-Submit.
   * Apply multi-arch hints. + node-ini: Add Multi-Arch: foreign.
 .
   [ Xavier Guimard ]
   * Bump debhelper compatibility level to 13
   * Declare compliance with policy 4.5.1
   * Add "Rules-Requires-Root: no"
   * Add debian/gbp.conf
   * Modernize debian/watch
   * Use dh-sequence-nodejs auto test & install
   * New upstream version 2.0.0 (Closes: #977718)
Checksums-Sha1: 
 d7845f5fdf5a4f8177647d7b8e9a85dec7b9972d 1986 node-ini_2.0.0-1.dsc
 208f8327372c15caa098cb7d3e0b2467085532a5 109383 node-ini_2.0.0.orig.tar.gz
 3737f96966d68947ef4abe3f31dd7efb4f075708 2708 node-ini_2.0.0-1.debian.tar.xz
Checksums-Sha256: 
 357b0f9ab337bd7c697f94c3e98d63c0f9859e64883e62bef0fafd8910256ed7 1986 node-ini_2.0.0-1.dsc
 c01dfc6d190c6f1d770cfb84490461415c9d67ac6e77b5335cbe17184cf5f891 109383 node-ini_2.0.0.orig.tar.gz
 9d65e1936e2846cab2944840dd895b8b33eb30938c625abd200b2d4529c2b77e 2708 node-ini_2.0.0-1.debian.tar.xz
Files: 
 71a124b6c2232acf1e4f59cc4d8146c7 1986 javascript optional node-ini_2.0.0-1.dsc
 ed326280ce9b7539098f4e999f0b0cf8 109383 javascript optional node-ini_2.0.0.orig.tar.gz
 0102de59c8698e87c1d683bd777ec527 2708 javascript optional node-ini_2.0.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl/ePmIACgkQ9tdMp8mZ
7ukjjg/+POvK0PXYplzdJBKmu0u3iXfvfF5ukmzJkAlgBha6NUk2dDEv7aqP1CD+
D86DwIyt0OSmCupjv72kevohV2z9x1OK7evEjCV5tDwciJBRcjBgoDchreZ8HoM1
k++q80U3H0rlbG83RuFuBk80qPEyry+8gdRpfN5BLFDZVioW27vD2Gk1VDERBh62
RG6wAPVugEs9IbjYq/E0tATTwyjtDRX9OBZhFe7JL69ADgXQwyVJ3H3UPysiX/en
xM77h9obMF5ADs0O5V0Hx/77uSMH82X3foz4gBqc3wBMRP8q0WJGr3KyzSh5sc9Y
Dwk6iQd8RSbQh4qPcX4afoPoZ/62A7zOAotorSLDjWNyKNsw+zVqOuuDX/mtrX2a
c7k7v4fL9yh4SknxD6MVDjJPuYlD/7fqZ6+DSem3O0f+eQalELMrdkpus38ApwSt
JHVCYxay2dd0BSemUAwHMNQid04wBWqOQK2kmwtRwiG5I2ONZDaJcp8joWZaeJWH
JXWgfHvvJiffSphG66Iy0JuPCaNU4sdYsEC6zcm/9r7l8an4tGDxjMKsIk6D89DO
f27OpHZNUoWkv1d3ITn/cLebGA4qzg3Z2VF/ptlNsVBPNLqGm8n+hlLfxOoJ8O0o
UGmY3bFcKrHJ5QU4YR134f+ykbyFBamPim0CfEqDn5E8EwAkLTw=
=xZT9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 9 11:21:43 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started