Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
Hi all, node-growl in stretch is vulnerable to #900868 / CVE-2017-16042. I imported upstream patch and embedded the little shell-escape module. Cheers, Xavier -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (600, 'testing'), (50, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 887691d..f98c7b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-growl (1.7.0-1+deb9u1) stretch; urgency=medium + + * Sanitize input before passing it to exec. This embeds shell-escape little + module (Closes: #900868, CVE-2017-16042) + + -- Xavier Guimard <[email protected]> Fri, 07 Jun 2019 12:14:09 +0200 + node-growl (1.7.0-1) unstable; urgency=low * Initial release (closes: #704930). diff --git a/debian/copyright b/debian/copyright index cee6c0b..345297b 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: node-growl Upstream-Contact: https://github.com/visionmedia/node-growl/issues Source: https://github.com/visionmedia/node-growl @@ -6,7 +6,7 @@ Copyright: Copyright (C) 2009- TJ Holowaychuk <[email protected]> Files: * Copyright: Copyright (C) 2009- TJ Holowaychuk <[email protected]> -License: MIT +License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without @@ -46,3 +46,31 @@ License: GPL-3+ . On Debian systems, the complete text of the GNU General Public License can be found in the file `/usr/share/common-licenses/GPL-3'. + +Files: debian/node_modules/shell-escape/* +Copyright: Martin PANEL <https://github.com/xxorax> +License: Expat + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, + copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following + conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES + OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. +Comment: The upstream distribution does not contain an explicit statement of + copyright ownership. Pursuant to the Berne Convention for the Protection of + Literary and Artistic Works, it is assumed that all content is copyright by + its respective authors unless otherwise stated. diff --git a/debian/install b/debian/install index f58f353..d76cfab 100644 --- a/debian/install +++ b/debian/install @@ -1 +1,3 @@ -lib/* usr/lib/nodejs/ +package.json usr/lib/nodejs/growl +lib usr/lib/nodejs/growl/ +debian/node_modules usr/lib/nodejs/growl/ diff --git a/debian/node_modules/shell-escape/package.json b/debian/node_modules/shell-escape/package.json new file mode 100644 index 0000000..78338bd --- /dev/null +++ b/debian/node_modules/shell-escape/package.json @@ -0,0 +1,52 @@ +{ + "_from": "shell-escape", + "_id": "[email protected]", + "_inBundle": false, + "_integrity": "sha1-aP0CXrBJC09WegJ/C/IkgLX4QTM=", + "_location": "/shell-escape", + "_phantomChildren": {}, + "_requested": { + "type": "tag", + "registry": true, + "raw": "shell-escape", + "name": "shell-escape", + "escapedName": "shell-escape", + "rawSpec": "", + "saveSpec": null, + "fetchSpec": "latest" + }, + "_requiredBy": [ + "#USER", + "/" + ], + "_resolved": "https://registry.npmjs.org/shell-escape/-/shell-escape-0.2.0.tgz";, + "_shasum": "68fd025eb0490b4f567a027f0bf22480b5f84133", + "_spec": "shell-escape", + "_where": "/home/xavier/dev/debian/packages/node-growl", + "author": "", + "bugs": { + "url": "https://github.com/xxorax/node-shell-escape/issues"; + }, + "bundleDependencies": false, + "dependencies": {}, + "deprecated": false, + "description": "Escape and stringify an array of arguments to be executed on the shell", + "homepage": "https://github.com/xxorax/node-shell-escape#readme";, + "keywords": [ + "shell", + "escape", + "bash", + "escapeshellarg" + ], + "license": "MIT", + "main": "./shell-escape.js", + "name": "shell-escape", + "repository": { + "type": "git", + "url": "git://github.com/xxorax/node-shell-escape.git" + }, + "scripts": { + "test": "for f in test/*; do echo \"$f\"; node \"$f\" || exit 1; echo; done; echo Passed; exit 0" + }, + "version": "0.2.0" +} diff --git a/debian/node_modules/shell-escape/shell-escape.js b/debian/node_modules/shell-escape/shell-escape.js new file mode 100644 index 0000000..6d52ebd --- /dev/null +++ b/debian/node_modules/shell-escape/shell-escape.js @@ -0,0 +1,17 @@ +module.exports = shellescape; + +// return a shell compatible format +function shellescape(a) { + var ret = []; + + a.forEach(function(s) { + if (!/^[A-Za-z0-9_\/-]+$/.test(s)) { + s = "'"+s.replace(/'/g,"'\\''")+"'"; + s = s.replace(/^(?:'')+/g, '') // unduplicate single-quote at the beginning + .replace(/\\'''/g, "\\'" ); // remove non-escaped single-quote if there are enclosed between 2 escaped + } + ret.push(s); + }); + + return ret.join(' '); +} diff --git a/debian/patches/CVE-2017-16042.patch b/debian/patches/CVE-2017-16042.patch new file mode 100644 index 0000000..956b482 --- /dev/null +++ b/debian/patches/CVE-2017-16042.patch @@ -0,0 +1,97 @@ +Description: Fix for CVE-2017-16042 + node-growl does not properly sanitize input before passing it to exec. +Author: Zsolt Imre <https://github.com/keymandll> +Origin: upstream, https://github.com/tj/node-growl/commit/d9f6ea2f +Bug: https://github.com/tj/node-growl/issues/60 +Bug-Debian: https://bugs.debian.org/900868 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <[email protected]> +Last-Update: 2019-06-07 + +--- a/lib/growl.js ++++ b/lib/growl.js +@@ -9,7 +9,7 @@ + , path = require('path') + , exists = fs.existsSync || path.existsSync + , os = require('os') +- , quote = JSON.stringify ++ , shellescape = require('shell-escape') + , cmd; + + function which(name) { +@@ -169,7 +169,7 @@ + if (!options.sticky) args.push('--hint=int:transient:1'); + break; + case 'Windows': +- args.push(cmd.icon + quote(image)); ++ args.push(cmd.icon + image); + break; + } + } +@@ -194,41 +194,41 @@ + switch(cmd.type) { + case 'Darwin-Growl': + args.push(cmd.msg); +- args.push(quote(msg)); +- if (options.title) args.push(quote(options.title)); ++ args.push(msg); ++ if (options.title) args.push(options.title); + break; + case 'Darwin-NotificationCenter': + args.push(cmd.msg); +- args.push(quote(msg)); ++ args.push(msg); + if (options.title) { + args.push(cmd.title); +- args.push(quote(options.title)); ++ args.push(options.title); + } + if (options.subtitle) { + args.push(cmd.subtitle); +- args.push(quote(options.title)); ++ args.push(options.title); + } + break; + case 'Darwin-Growl': + args.push(cmd.msg); +- args.push(quote(msg)); +- if (options.title) args.push(quote(options.title)); ++ args.push(msg); ++ if (options.title) args.push(options.title); + break; + case 'Linux': + if (options.title) { +- args.push(quote(options.title)); ++ args.push(options.title); + args.push(cmd.msg); +- args.push(quote(msg)); ++ args.push(msg); + } else { +- args.push(quote(msg)); ++ args.push(msg); + } + break; + case 'Windows': +- args.push(quote(msg)); +- if (options.title) args.push(cmd.title + quote(options.title)); ++ args.push(msg); ++ if (options.title) args.push(cmd.title + options.title); + break; + } + + // execute +- exec(args.join(' '), fn); ++ exec(shellescape(args), fn); + }; +--- a/package.json ++++ b/package.json +@@ -3,5 +3,8 @@ + "version": "1.7.0", + "description": "Growl unobtrusive notifications", + "author": "TJ Holowaychuk <[email protected]>", +- "main": "./lib/growl.js" ++ "main": "./lib/growl.js", ++ "dependencies": { ++ "shell-escape": "^0.2.0" ++ } + } diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..88b770c --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16042.patch diff --git a/debian/rules b/debian/rules index efbb973..4610eca 100755 --- a/debian/rules +++ b/debian/rules @@ -5,7 +5,7 @@ #export DH_VERBOSE=1 override_dh_auto_test: - nodejs $(CURDIR)/test.js + NODE_PATH=debian/node_modules nodejs $(CURDIR)/test.js %: dh $@
