[Buildroot] [git commit branch/2021.02.x] package/jszip: fix CVE-2021-23413
Peter Korsgaard
peter at korsgaard.com
Sat Sep 4 20:25:56 UTC 2021
commit: https://git.buildroot.net/buildroot/commit/?id=eddbbbabc7f41a3e3ff6dd71ccb86a517079a558
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.02.x
This affects the package jszip before 3.7.0. Crafting a new zip file
with filenames set to Object prototype values (e.g __proto__, toString,
etc) results in a returned object with a modified prototype instance.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
(cherry picked from commit 921830e92d8bc79c444b9c03d9af4242226434e6)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
...se-a-null-prototype-object-for-this-files.patch | 56 ++++++++++++++++++++++
package/jszip/jszip.mk | 3 ++
2 files changed, 59 insertions(+)
diff --git a/package/jszip/0001-fix-Use-a-null-prototype-object-for-this-files.patch b/package/jszip/0001-fix-Use-a-null-prototype-object-for-this-files.patch
new file mode 100644
index 0000000000..969db5b403
--- /dev/null
+++ b/package/jszip/0001-fix-Use-a-null-prototype-object-for-this-files.patch
@@ -0,0 +1,56 @@
+From 22357494f424178cb416cdb7d93b26dd4f824b36 Mon Sep 17 00:00:00 2001
+From: Michael Aquilina <michaelaquilina at gmail.com>
+Date: Mon, 14 Jun 2021 12:28:46 +0100
+Subject: [PATCH] fix: Use a null prototype object for this.files
+
+This approach is taken to prevent overriding object methods that would
+exist on a normal object Object.create({})
+
+[Retrieved from:
+https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
+---
+ lib/index.js | 5 ++++-
+ lib/object.js | 6 +++---
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/index.js b/lib/index.js
+index b449877..b4c95ba 100644
+--- a/lib/index.js
++++ b/lib/index.js
+@@ -19,7 +19,10 @@ function JSZip() {
+ // "folder/" : {...},
+ // "folder/data.txt" : {...}
+ // }
+- this.files = {};
++ // NOTE: we use a null prototype because we do not
++ // want filenames like "toString" coming from a zip file
++ // to overwrite methods and attributes in a normal Object.
++ this.files = Object.create(null);
+
+ this.comment = null;
+
+diff --git a/lib/object.js b/lib/object.js
+index 1c9d8e8..aec3db7 100644
+--- a/lib/object.js
++++ b/lib/object.js
+@@ -179,16 +179,16 @@ var out = {
+ */
+ forEach: function(cb) {
+ var filename, relativePath, file;
++ /* jshint ignore:start */
++ // ignore warning about unwanted properties because this.files is a null prototype object
+ for (filename in this.files) {
+- if (!this.files.hasOwnProperty(filename)) {
+- continue;
+- }
+ file = this.files[filename];
+ relativePath = filename.slice(this.root.length, filename.length);
+ if (relativePath && filename.slice(0, this.root.length) === this.root) { // the file is in the current root
+ cb(relativePath, file); // TODO reverse the parameters ? need to be clean AND consistent with the filter search fn...
+ }
+ }
++ /* jshint ignore:end */
+ },
+
+ /**
diff --git a/package/jszip/jszip.mk b/package/jszip/jszip.mk
index 04bd0a7b34..13ea377169 100644
--- a/package/jszip/jszip.mk
+++ b/package/jszip/jszip.mk
@@ -9,6 +9,9 @@ JSZIP_SITE = $(call github,Stuk,jszip,v$(JSZIP_VERSION))
JSZIP_LICENSE = MIT or GPL-3.0
JSZIP_LICENSE_FILES = LICENSE.markdown
+# 0001-fix-Use-a-null-prototype-object-for-this-files.patch
+JSZIP_IGNORE_CVES += CVE-2021-23413
+
define JSZIP_INSTALL_TARGET_CMDS
$(INSTALL) -m 0644 -D $(@D)/dist/jszip.min.js \
$(TARGET_DIR)/var/www/jszip/js/jszip.min.js
More information about the buildroot
mailing list