Control: tags -1 - moreinfo Le 31/03/2021 à 09:52, Sebastian Ramacher a écrit : > Control: tags -1 moreinfo > > On 2021-03-30 22:49:43, Yadd wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian....@packages.debian.org >> Usertags: unblock >> X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org >> >> Please unblock package underscore >> >> [ Reason ] >> underscore is vulnerable to arbitrary code execution (#986171, >> CVE-2021-23358) >> >> [ Impact ] >> CVE provided a PoC to prove arbitrary code execution >> >> [ Tests ] >> I added a test to prove that bug is fixed (based on PoC). Test fails >> with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2 >> >> [ Risks ] >> Patch is trivial. Note: I imported also Janitor changes: this breaks >> nothing > > The patch looks fine, but please upload a version without the janitor > changes. It's too late for those changes and they can wait for bookworm. > > Cheers
Hi, thanks, done in version 1.9.1~dfsg-3 Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 02cd807..3936261 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,33 @@ +underscore (1.9.1~dfsg-3) unstable; urgency=medium + + * Team upload + * Revert Janitor changes as required by release team (#986175) + + -- Yadd <y...@debian.org> Wed, 31 Mar 2021 14:21:21 +0200 + +underscore (1.9.1~dfsg-2) unstable; urgency=medium + + * Team upload + + [ Debian Janitor ] + * Bump debhelper dependency to >= 9, since that's what is used in + debian/compat. + * Bump debhelper from old 9 to 12. + * Set debhelper-compat version in Build-Depends. + * Set upstream metadata fields: Bug-Database, Repository, Repository- + Browse. + * Update standards version to 4.4.1, no changes needed. + * Set upstream metadata fields: Bug-Submit. + * Update standards version to 4.5.0, no changes needed. + * Apply multi-arch hints. + + node-underscore: Add Multi-Arch: foreign. + + [ Yadd ] + * Mark autopkgtest as superficial + * Fix arbitrary code execution and add a test (Closes: #986171) + + -- Yadd <y...@debian.org> Tue, 30 Mar 2021 22:40:59 +0200 + underscore (1.9.1~dfsg-1) unstable; urgency=medium [ upstream ] diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch new file mode 100644 index 0000000..2ba4118 --- /dev/null +++ b/debian/patches/CVE-2021-23358.patch @@ -0,0 +1,62 @@ +Description: fix arbitrary code execution +Author: Julian Gonggrijp <d...@juliangonggrijp.com> +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 +Bug-Debian: https://bugs.debian.org/986171 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2021-03-30 + +--- a/underscore.js ++++ b/underscore.js +@@ -1550,6 +1550,13 @@ + return '\\' + escapes[match]; + }; + ++ // In order to prevent third-party code injection through ++ // `_.templateSettings.variable`, we test it against the following regular ++ // expression. It is intentionally a bit more liberal than just matching valid ++ // identifiers, but still prevents possible loopholes through defaults or ++ // destructuring assignment. ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/; ++ + // JavaScript micro-templating, similar to John Resig's implementation. + // Underscore templating handles arbitrary delimiters, preserves whitespace, + // and correctly escapes quotes within interpolated code. +@@ -1585,8 +1592,17 @@ + }); + source += "';\n"; + +- // If a variable is not specified, place data values in local scope. +- if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n'; ++ var argument = settings.variable; ++ if (argument) { ++ // Insure against third-party code injection. ++ if (!bareIdentifier.test(argument)) throw new Error( ++ 'variable is not a bare identifier: ' + argument ++ ); ++ } else { ++ // If a variable is not specified, place data values in local scope. ++ source = 'with(obj||{}){\n' + source + '}\n'; ++ argument = 'obj'; ++ } + + source = "var __t,__p='',__j=Array.prototype.join," + + "print=function(){__p+=__j.call(arguments,'');};\n" + +@@ -1594,7 +1610,7 @@ + + var render; + try { +- render = new Function(settings.variable || 'obj', '_', source); ++ render = new Function(argument, '_', source); + } catch (e) { + e.source = source; + throw e; +@@ -1605,7 +1621,6 @@ + }; + + // Provide the compiled source as a convenience for precompilation. +- var argument = settings.variable || 'obj'; + template.source = 'function(' + argument + '){\n' + source + '}'; + + return template; diff --git a/debian/patches/series b/debian/patches/series index da362d2..7ddac86 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 2001_docs_privacy.patch +CVE-2021-23358.patch diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358 new file mode 100755 index 0000000..a2ae590 --- /dev/null +++ b/debian/tests/CVE-2021-23358 @@ -0,0 +1,11 @@ +#!/bin/sh + +if node debian/tests/CVE-2021-23358.js 2>/dev/null; then + rm -f HELLO + echo 'Vulnerable to CVE-2021-23358' >&2 + exit 1 +else + echo + echo 'Not vulnerable to CVE-2021-23358' + exit 0 +fi diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js new file mode 100644 index 0000000..fad7c77 --- /dev/null +++ b/debian/tests/CVE-2021-23358.js @@ -0,0 +1,3 @@ +const _ = require('underscore'); +_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')"; +const t = _.template("")(); diff --git a/debian/tests/control b/debian/tests/control index 7275831..868aa31 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1 +1,7 @@ Test-Command: node -e "require('underscore');" +Depends: @ +Restrictions: superficial + +Tests: CVE-2021-23358 +Depends: @ +Restrictions: superficial