[Buildroot] [PATCH 1/1] package/jszip: fix CVE-2021-23413
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Thu Aug 12 21:54:55 UTC 2021
On Mon, 9 Aug 2021 12:00:37 +0200
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> This affects the package jszip before 3.7.0. Crafting a new zip file
> with filenames set to Object prototype values (e.g __proto__, toString,
> etc) results in a returned object with a modified prototype instance.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> ...null-prototype-object-for-this-files.patch | 56 +++++++++++++++++++
> package/jszip/jszip.mk | 3 +
> 2 files changed, 59 insertions(+)
> create mode 100644 package/jszip/0001-fix-Use-a-null-prototype-object-for-this-files.patch
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list