[Buildroot] [PATCH 1/1] package/jszip: fix CVE-2021-23413

Thomas Petazzoni thomas.petazzoni at bootlin.com
Thu Aug 12 21:54:55 UTC 2021


On Mon,  9 Aug 2021 12:00:37 +0200
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:

> This affects the package jszip before 3.7.0. Crafting a new zip file
> with filenames set to Object prototype values (e.g __proto__, toString,
> etc) results in a returned object with a modified prototype instance.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
>  ...null-prototype-object-for-this-files.patch | 56 +++++++++++++++++++
>  package/jszip/jszip.mk                        |  3 +
>  2 files changed, 59 insertions(+)
>  create mode 100644 package/jszip/0001-fix-Use-a-null-prototype-object-for-this-files.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


More information about the buildroot mailing list