Debian Bug report logs -
#926616
CVE-2018-3750: Prototype Pollution
Reported by: Jeff Cliff <jeffrey.cliff@gmail.com>
Date: Sun, 7 Apr 2019 22:24:02 UTC
Severity: important
Tags: security, upstream
Found in version node-deep-extend/0.4.1-1
Fixed in version node-deep-extend/0.4.1-2
Done: Xavier Guimard <yadd@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jeffrey.cliff@gmail.com, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#926616; Package node-deep-extend.
(Sun, 07 Apr 2019 22:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jeff Cliff <jeffrey.cliff@gmail.com>:
New Bug report received and forwarded. Copy sent to jeffrey.cliff@gmail.com, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sun, 07 Apr 2019 22:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: node-deep-extend
Version: 0.4.1-1
Severity: important
Dear Maintainer,
As per the ubuntu bug report:
from https://snyk.io/vuln/npm:deep-extend:20180409 :
deep-extend "all the listed modules can be tricked into modifying the prototype of "Object"
when the attacker control part of the structure passed to these function."
This is verifiably true on at least buster, given the PoC listed in the above URL, but
since it's the same deep-extend in sid, it's probably the same there.
The following commit apparently fixes this: (though I haven't verified that)
https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages node-deep-extend depends on:
ii nodejs 10.15.2~dfsg-1
node-deep-extend recommends no packages.
node-deep-extend suggests no packages.
-- debconf-show failed
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#926616; Package node-deep-extend.
(Mon, 08 Apr 2019 06:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Xavier <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Mon, 08 Apr 2019 06:45:07 GMT) (full text, mbox, link).
Message #10 received at 926616@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + security
Le 08/04/2019 à 00:22, Jeff Cliff a écrit :
> Package: node-deep-extend
> Version: 0.4.1-1
> Severity: important
>
> Dear Maintainer,
>
> As per the ubuntu bug report:
>
> from https://snyk.io/vuln/npm:deep-extend:20180409 :
>
> deep-extend "all the listed modules can be tricked into modifying the prototype of "Object"
> when the attacker control part of the structure passed to these function."
>
> This is verifiably true on at least buster, given the PoC listed in the above URL, but
> since it's the same deep-extend in sid, it's probably the same there.
>
> The following commit apparently fixes this: (though I haven't verified that)
>
> https://github.com/unclechu/node-deep-extend/commit/433ee51ed606f4e1867ece57b6ff5a47bebb492f
Hello,
this issue is referenced here in
https://security-tracker.debian.org/tracker/CVE-2018-3750 and marked as
"unimportant"
The commit that fix this is:
https://github.com/unclechu/node-deep-extend/commit/9423fae877e2ab6b4aecc4db79a0ed63039d4703
Added tag(s) security.
Request was from Xavier <yadd@debian.org>
to 926616-submit@bugs.debian.org.
(Mon, 08 Apr 2019 06:45:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#926616; Package node-deep-extend.
(Mon, 08 Apr 2019 06:54:02 GMT) (full text, mbox, link).
Acknowledgement sent
to paolo.greppi@libpf.com:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Mon, 08 Apr 2019 06:54:02 GMT) (full text, mbox, link).
Message #17 received at 926616@bugs.debian.org (full text, mbox, reply):
Quick research:
https://www.npmjs.com/advisories/612
node-deep-extend popcon = ~1900
apt-cache rdepends node-deep-extend
node-deep-extend
Reverse Depends:
node-rc
the watch file for node-rc is not picking up new releases because upstream uses the commit message to tag them instead of a real tag...
anyway the new version of deep-extend has been included in rc 1.2.7 released on 2018-04-29:
https://github.com/dominictarr/rc/commit/b63377974f60bc5207c15bc8f465e28d2c7e1945
so the bottom line is, to fix this we should:
- update node-deep-extend to 0.5.1
- update node-rc from 1.1.6 to 1.2.8
P.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 08 Apr 2019 07:39:09 GMT) (full text, mbox, link).
Message sent on
to Jeff Cliff <jeffrey.cliff@gmail.com>:
Bug#926616.
(Mon, 08 Apr 2019 13:15:16 GMT) (full text, mbox, link).
Message #22 received at 926616-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #926616 in node-deep-extend reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-deep-extend/commit/c036a477d74f30bb24b43b4e842eafeeb996abd4
------------------------------------------------------------------------
Add patch to prevent Object prototype pollution
Closes: #926616, CVE-2018-3750)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/926616
Added tag(s) pending.
Request was from Xavier Guimard <noreply@salsa.debian.org>
to 926616-submitter@bugs.debian.org.
(Mon, 08 Apr 2019 13:15:16 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <yadd@debian.org>:
You have taken responsibility.
(Mon, 08 Apr 2019 13:21:04 GMT) (full text, mbox, link).
Notification sent
to Jeff Cliff <jeffrey.cliff@gmail.com>:
Bug acknowledged by developer.
(Mon, 08 Apr 2019 13:21:04 GMT) (full text, mbox, link).
Message #29 received at 926616-close@bugs.debian.org (full text, mbox, reply):
Source: node-deep-extend
Source-Version: 0.4.1-2
We believe that the bug you reported is fixed in the latest version of
node-deep-extend, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926616@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-deep-extend package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 08 Apr 2019 14:52:06 +0200
Source: node-deep-extend
Architecture: source
Version: 0.4.1-2
Distribution: unstable
Urgency: medium
Maintainer: Xavier Guimard <yadd@debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 926616
Changes:
node-deep-extend (0.4.1-2) unstable; urgency=medium
.
* Team upload
* Add patch to prevent Object prototype pollution
(Closes: #926616, CVE-2018-3750)
* Enable upstream tests using pkg-js-tools
* Fix VCS fields
* Fix debian/copyright years
* Add upstream/metadata
* Change section to javascript
Checksums-Sha1:
09b313125587a0312d0d5e586aebeda6bf93e9b0 2097 node-deep-extend_0.4.1-2.dsc
af2af5419e35ed689bf8b117e9acac762b97357a 2688 node-deep-extend_0.4.1-2.debian.tar.xz
Checksums-Sha256:
a372622ea2191ee068a6e64228f3287a9e10e2940f0123d9e5c14ef071bf0739 2097 node-deep-extend_0.4.1-2.dsc
8efc57584fb88eed549db8a255b4d0f111df9bc248f98ffb3e340a2824034fa9 2688 node-deep-extend_0.4.1-2.debian.tar.xz
Files:
a03be6a7380485762cf7aea0ec4f996f 2097 javascript optional node-deep-extend_0.4.1-2.dsc
9078181f623a998c30fdc5c35427c694 2688 javascript optional node-deep-extend_0.4.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlyrRIIACgkQ9tdMp8mZ
7uksZg//W+mz7KKDbc9kdS1KyWk+8YqfuPTA8YekJ7czEC6+tfLJY7XR4fr4MXcw
8fp9a2u2lMuTkJ2B0TQpJKJL0+IAR7T/UL4dZZAIB35NDhAap/KcfzjM6JGZKP9Q
lg0Xy+cXZg3ALLPQWtJFgf2E+vBYyicSVFeuHN4WGjTOagL4uo3Z0Afiq/4zg7xq
zAe4SzqNBrTf1y/7Jeq8V2SrroSoq2w1wttWpzP50hzT8X4lMU9ccWXa/8lHPu/q
990EoZu7zTi66qTARs+t6rzCR5mNTAsYSLfoCQhVRMaGFL3HBF385Iv9QId00ai8
SIrlFvoa3LAeTigW0nOdgzYkf7BT7YiKxgKkN1FdBIGVXb8IeYmu3HSBoPwowZJ5
jdyKL1X1/ZzK8947P71HWzafG3LtDVNlYgJtYP2NFL4VQ/1sSbpED+JXtNvB5eNZ
e5dzEOFVILNLN/xLAbuJv5OCiNW7GULQHjA0G1qlDJVMyRwAnlhtikWX+A1i1h8S
rAc3WeGLDuAhkPUa8v0eoW+aSPI9edA/gJRMSwQlT4JvCzgD8dyplTs++5RXS8FO
YR2Ph/kfN0Fc+MdT1fJ3EqOqGKhhlngwYddZUdf2uxRTL3YEGSF2TELHqaZ3DCJA
Qzkc8cSgnbkjigYU8d2YIliDp8v7gDDDCtvQ8MAsq4gZ8a2kWFs=
=nvCM
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#926616; Package node-deep-extend.
(Mon, 08 Apr 2019 15:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Xavier <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Mon, 08 Apr 2019 15:24:03 GMT) (full text, mbox, link).
Message #34 received at 926616@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
node-deep-extend 0.4.1-2 is unblocked
-------- Message transféré --------
Sujet : Bug#926650 closed by Ivo De Decker <ivodd@respighi.debian.org>
(unblock node-deep-extend)
Date : Mon, 08 Apr 2019 14:36:04 +0000
De : Debian Bug Tracking System <owner@bugs.debian.org>
Répondre à : 926650@bugs.debian.org
Pour : Xavier Guimard <yadd@debian.org>
This is an automatic notification regarding your Bug report
which was filed against the release.debian.org package:
#926650: unblock: node-deep-extend/0.4.1-2
It has been closed by Ivo De Decker <ivodd@respighi.debian.org>.
Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Ivo De Decker
<ivodd@respighi.debian.org> by
replying to this email.
--
926650: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926650
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
[ForwardedMessage.eml (message/rfc822, attachment)]
[ForwardedMessage.eml (message/rfc822, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 08 May 2019 07:26:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:02:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon