Hi, here is the patch for Trixie (unstable fixed)
Le 26/02/2026 à 22:39, Salvatore Bonaccorso a écrit :
Source: node-proxy-agents Version: 0~2025070717-6 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Hi, The following vulnerability was published for node-proxy-agents. CVE-2026-27699[0]: | The `basic-ftp` FTP client library for Node.js contains a path | traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the | `downloadToDir()` method. A malicious FTP server can send directory | listings with filenames containing path traversal sequences (`../`) | that cause files to be written outside the intended download | directory. Version 5.2.0 patches the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27699 https://www.cve.org/CVERecord?id=CVE-2026-27699 [1] https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c [2] https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
diff --git a/debian/changelog b/debian/changelog index 80e675c..cdf1cc2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-proxy-agents (0~2024040606-6+deb13u1) trixie-security; urgency=medium + + * Team upload + * Fix basic-ftp traversal vulnerability (Closes: #1129093, CVE-2026-27699) + + -- Yadd <[email protected]> Fri, 27 Feb 2026 07:58:26 +0100 + node-proxy-agents (0~2024040606-6) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2026-27699.patch b/debian/patches/CVE-2026-27699.patch new file mode 100644 index 0000000..9b7d881 --- /dev/null +++ b/debian/patches/CVE-2026-27699.patch @@ -0,0 +1,32 @@ +From: Patrick Juchli <[email protected]> +Date: feb., 23 2026 09:01:12 +0100 +Subject: [PATCH] Skip invalid filenames +Origin: upstream, https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e65 +Bug: https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c +Bug-Debian: https://bugs.debian.org/1129093 +Forwarded: not-needed +Applied-Upstream: 5.2.0, commit:2a2a0e65 +Reviewed-By: Yadd <[email protected]> + +--- a/basic-ftp/src/Client.ts ++++ b/basic-ftp/src/Client.ts +@@ -1,5 +1,5 @@ + import { createReadStream, createWriteStream, mkdir, readdir, stat, open, close, unlink } from "fs" +-import { join } from "path" ++import { basename, join } from "path" + import { Readable, Writable } from "stream" + import { connect as connectTLS, ConnectionOptions as TLSConnectionOptions } from "tls" + import { promisify } from "util" +@@ -694,6 +694,12 @@ + protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> { + await ensureLocalDirectory(localDirPath) + for (const file of await this.list()) { ++ const hasInvalidName = !file.name || basename(file.name) !== file.name ++ if (hasInvalidName) { ++ const safeName = JSON.stringify(file.name) ++ this.ftp.log(`Invalid filename from server listing, will skip file. (${safeName})`) ++ continue ++ } + const localPath = join(localDirPath, file.name) + if (file.isDirectory) { + await this.cd(file.name) diff --git a/debian/patches/series b/debian/patches/series index a1ce508..11cd8b5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ use-quickjs-emscripten.patch tsc-workaround.patch 0004-Use-modern-lru-cache.patch 0005-get-uri-compilation.patch +CVE-2026-27699.patch
