node-y18n: CVE-2020-7774

Debian Bug report logs - #976390
node-y18n: CVE-2020-7774

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: node-y18n: CVE-2020-7774

Date: Fri, 04 Dec 2020 15:01:24 +0100

Source: node-y18n
Version: 4.0.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/yargs/y18n/issues/96
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for node-y18n.

CVE-2020-7774[0]:
| This affects the package y18n before 5.0.5. PoC by po6ix: const y18n =
| require('y18n')(); y18n.setLocale('__proto__');
| y18n.updateLocale({polluted: true}); console.log(polluted); // true


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-7774
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
[1] https://github.com/yargs/y18n/issues/96
[2] https://github.com/yargs/y18n/pull/108
[3] https://snyk.io/vuln/SNYK-JS-Y18N-1021887

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 976390-submitter@bugs.debian.org (full text, mbox, reply):

From: Xavier Guimard <noreply@salsa.debian.org>

To: 976390-submitter@bugs.debian.org

Subject: Bug#976390 marked as pending in node-y18n

Date: Fri, 04 Dec 2020 14:31:03 +0000

Control: tag -1 pending

Hello,

Bug #976390 in node-y18n reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-y18n/-/commit/8f82174ebfc29bec8e8954c030effd334f5a6250

------------------------------------------------------------------------
Fix prototype pollution (Closes: #976390, CVE-2020-7774)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/976390

Message #15 received at 976390-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 976390-close@bugs.debian.org

Subject: Bug#976390: fixed in node-y18n 4.0.0-3

Date: Fri, 04 Dec 2020 14:45:35 +0000

Source: node-y18n
Source-Version: 4.0.0-3
Done: Xavier Guimard <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-y18n, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 976390@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-y18n package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 04 Dec 2020 15:29:40 +0100
Source: node-y18n
Architecture: source
Version: 4.0.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 976390
Changes:
 node-y18n (4.0.0-3) unstable; urgency=medium
 .
   * Team upload
 .
   [ Debian Janitor ]
   * Set debhelper-compat version in Build-Depends.
   * Set upstream metadata fields: Bug-Submit.
   * Remove obsolete fields Contact, Name from debian/upstream/metadata
     (already present in machine-readable debian/copyright).
   * Update standards version to 4.4.1, no changes needed.
   * Update standards version to 4.5.0, no changes needed.
 .
   [ Xavier Guimard ]
   * Bump debhelper compatibility level to 13
   * Add "Rules-Requires-Root: no"
   * Use dh-sequence-nodejs
   * Declare compliance with policy 4.5.1
   * Modernize debian/watch
   * Add test script for CVE-2020-7774
   * Fix prototype pollution (Closes: #976390, CVE-2020-7774)
Checksums-Sha1: 
 571fef7bb8fd06c9823c642fd09694d1fb977df3 2017 node-y18n_4.0.0-3.dsc
 a10e0571b2fb8dfbf7dba21843a159c1aae8f9b1 2976 node-y18n_4.0.0-3.debian.tar.xz
Checksums-Sha256: 
 587915f8010798d65bb9f9e0cd2326ab184d5f5372004fee08aff461fba38d36 2017 node-y18n_4.0.0-3.dsc
 b5be94c5bee284755e83378579538875c4a85435e5683dc0d9ff8ce477ca8404 2976 node-y18n_4.0.0-3.debian.tar.xz
Files: 
 dbfe3fd157954c1e7c5ead4ce380c917 2017 javascript optional node-y18n_4.0.0-3.dsc
 8a31bcdd82042f2eb28a2d6b068c2ef5 2976 javascript optional node-y18n_4.0.0-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAl/KSBEACgkQ9tdMp8mZ
7ulFBg//Zch8987ChcAO67GBqo1kuVj49iAgqtmUH7mIyKW6rSZoaOJLMFaezt2q
J+jzGmnAus8eTV4KncLmQMjaFfkS3TIAhZufKupZnUuq2A8p+bpuu4njS3xZdS1e
JeNWIkX/Geem2QKVVT00S8bINHdNkboALLUBb+wZ1Ly1gpcJ4jiqyxLKQPa2blTs
eyxBx8UdVZN/VW+AP+uLsXiLQEmdoDBqFmVfo7OXsjeNIHb7GqlxrCR0Za1X+7kQ
pfiKWF9XrwRBNS8DrrnbdvWtVzOoAK/eyeklLJwyoskDG8OocgZnL87Y0NWtnXuC
a0q4SOFOvsLj0QtmpLMae2gxjvM5bh4r7SEkFA/hzVUNI7MhlY20ky/MVJkHkteT
EQTI4ITycLDqbvMUnclNfnKLs70o+BuYKgpqdTs4CD7wkp09xQfaJs9pMvUMPmIr
+gEOJjHFVZ2RQS3UFwk4viZ428HDFkyu2qhfjRoqiFX3OnVOhZviCi2JFoJ3dVc7
XOrCH/tdY5SkhBvMzNdHqsNmPXa5HCL9zDNdUzaE2d/1VH/5rgN327JgBBr8p2Qm
VoGibDJFNlOgVMJulprOmJysOv8GQRla6rWo6OE8uUqlPS8r8NRw8JFeW7ZZnRsS
vJ2PjP5xG768qwWvDcupJSILOccdzUPYLNBkEa0y8iLv2be8HAg=
=+DYz
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.