Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #969706,
regarding buster-pu: package grunt/1.0.1-8+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
969706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969706
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
[ Reason ]
grunt is vulnerable to a medium CVE (CVE-2020-7729, #969668)
[ Impact ]
The package grunt before 1.3.0 are vulnerable to Arbitrary Code
Execution due to the default usage of the function load() instead of
its secure replacement safeLoad() of the package js-yaml inside
grunt.file.readYAML.
[ Tests ]
Patch contains new upstream test. autopkgtest is OK
[ Risks ]
Low risk: the patch just adds some checks
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Upstream patch is imported without changes. It adds some checks during
YAML file read and a little test.
[ Other info ]
Thanks for your work!
diff --git a/debian/changelog b/debian/changelog
index eaf56cc..f15438c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+grunt (1.0.1-8+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Use `safeLoad` for loading YML files via `file.readYAML`
+ (Closes: #969668, CVE-2020-7729)
+
+ -- Xavier Guimard <[email protected]> Sun, 06 Sep 2020 23:41:10 +0200
+
grunt (1.0.1-8) unstable; urgency=medium
[ Harish K ]
diff --git a/debian/patches/CVE-2020-7729.patch
b/debian/patches/CVE-2020-7729.patch
new file mode 100644
index 0000000..64bed12
--- /dev/null
+++ b/debian/patches/CVE-2020-7729.patch
@@ -0,0 +1,53 @@
+Description: Switch to use `safeLoad` for loading YML files via
`file.readYAML`.
+Author: Vlad Filippov <[email protected]>
+Origin: upstream, https://github.com/gruntjs/grunt/commit/e350cea1
+Bug: https://snyk.io/vuln/SNYK-JS-GRUNT-597546
+Bug-Debian: https://bugs.debian.org/969668
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2020-09-06
+
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -252,12 +252,21 @@
+ };
+
+ // Read a YAML file, parse its contents, return an object.
+-file.readYAML = function(filepath, options) {
++file.readYAML = function(filepath, options, yamlOptions) {
++ if (!options) { options = {}; }
++ if (!yamlOptions) { yamlOptions = {}; }
++
+ var src = file.read(filepath, options);
+ var result;
+ grunt.verbose.write('Parsing ' + filepath + '...');
+ try {
+- result = YAML.load(src);
++ // use the recommended way of reading YAML files
++ // https://github.com/nodeca/js-yaml#safeload-string---options-
++ if (yamlOptions.unsafeLoad) {
++ result = YAML.load(src);
++ } else {
++ result = YAML.safeLoad(src);
++ }
+ grunt.verbose.ok();
+ return result;
+ } catch (e) {
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -452,10 +452,13 @@
+ test.done();
+ },
+ 'readYAML': function(test) {
+- test.expect(3);
++ test.expect(4);
+ var obj;
+ obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+- test.deepEqual(obj, this.object, 'file should be read as utf8 by default
and parsed correctly.');
++ test.deepEqual(obj, this.object, 'file should be safely read as utf8 by
default and parsed correctly.');
++
++ obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad:
true});
++ test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by
default and parsed correctly.');
+
+ obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding:
'iso-8859-1'});
+ test.deepEqual(obj, this.object, 'file should be read using the specified
encoding.');
diff --git a/debian/patches/series b/debian/patches/series
index fcd76bd..a874060 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
add-root-variable.patch
reproducible-build.patch
adapt-gruntfile.patch
+CVE-2020-7729.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.6
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
