Control: tags -1 moreinfo On 2021-03-30 22:49:43, Yadd wrote: > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > X-Debbugs-Cc: [email protected] > > Please unblock package underscore > > [ Reason ] > underscore is vulnerable to arbitrary code execution (#986171, > CVE-2021-23358) > > [ Impact ] > CVE provided a PoC to prove arbitrary code execution > > [ Tests ] > I added a test to prove that bug is fixed (based on PoC). Test fails > with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2 > > [ Risks ] > Patch is trivial. Note: I imported also Janitor changes: this breaks > nothing
The patch looks fine, but please upload a version without the janitor changes. It's too late for those changes and they can wait for bookworm. Cheers > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > [ Other ] > I downgrade autopkgtest to "superficial" since nothing was really tested > (just a node "require"). That's why I'm filing this ;-) > > Regards, > Yadd > > unblock underscore/1.9.1~dfsg-2 > diff --git a/debian/changelog b/debian/changelog > index 02cd807..fed9aa8 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,26 @@ > +underscore (1.9.1~dfsg-2) unstable; urgency=medium > + > + * Team upload > + > + [ Debian Janitor ] > + * Bump debhelper dependency to >= 9, since that's what is used in > + debian/compat. > + * Bump debhelper from old 9 to 12. > + * Set debhelper-compat version in Build-Depends. > + * Set upstream metadata fields: Bug-Database, Repository, Repository- > + Browse. > + * Update standards version to 4.4.1, no changes needed. > + * Set upstream metadata fields: Bug-Submit. > + * Update standards version to 4.5.0, no changes needed. > + * Apply multi-arch hints. > + + node-underscore: Add Multi-Arch: foreign. > + > + [ Yadd ] > + * Mark autopkgtest as superficial > + * Fix arbitrary code execution and add a test (Closes: #986171) > + > + -- Yadd <[email protected]> Tue, 30 Mar 2021 22:40:59 +0200 > + > underscore (1.9.1~dfsg-1) unstable; urgency=medium > > [ upstream ] > diff --git a/debian/compat b/debian/compat > deleted file mode 100644 > index ec63514..0000000 > --- a/debian/compat > +++ /dev/null > @@ -1 +0,0 @@ > -9 > diff --git a/debian/control b/debian/control > index cb1e7e9..fc1d26b 100644 > --- a/debian/control > +++ b/debian/control > @@ -7,11 +7,11 @@ Uploaders: > David Paleino <[email protected]>, > Build-Depends: > brotli, > - debhelper, > + debhelper-compat (= 12), > node-source-map, > pigz, > uglifyjs (>= 3), > -Standards-Version: 4.3.0 > +Standards-Version: 4.5.0 > Homepage: https://underscorejs.org/ > Vcs-Browser: https://salsa.debian.org/js-team/underscore > Vcs-Git: https://salsa.debian.org/js-team/underscore.git > @@ -44,6 +44,7 @@ Depends: > libjs-underscore, > nodejs, > ${misc:Depends}, > +Multi-Arch: foreign > Description: JavaScript's functional programming helper library - NodeJS > Underscore is a utility-belt library for JavaScript that provides a lot > of the functional programming support that you would expect in > diff --git a/debian/patches/CVE-2021-23358.patch > b/debian/patches/CVE-2021-23358.patch > new file mode 100644 > index 0000000..2ba4118 > --- /dev/null > +++ b/debian/patches/CVE-2021-23358.patch > @@ -0,0 +1,62 @@ > +Description: fix arbitrary code execution > +Author: Julian Gonggrijp <[email protected]> > +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d > +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 > +Bug-Debian: https://bugs.debian.org/986171 > +Forwarded: not-needed > +Reviewed-By: Xavier Guimard <[email protected]> > +Last-Update: 2021-03-30 > + > +--- a/underscore.js > ++++ b/underscore.js > +@@ -1550,6 +1550,13 @@ > + return '\\' + escapes[match]; > + }; > + > ++ // In order to prevent third-party code injection through > ++ // `_.templateSettings.variable`, we test it against the following regular > ++ // expression. It is intentionally a bit more liberal than just matching > valid > ++ // identifiers, but still prevents possible loopholes through defaults or > ++ // destructuring assignment. > ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/; > ++ > + // JavaScript micro-templating, similar to John Resig's implementation. > + // Underscore templating handles arbitrary delimiters, preserves > whitespace, > + // and correctly escapes quotes within interpolated code. > +@@ -1585,8 +1592,17 @@ > + }); > + source += "';\n"; > + > +- // If a variable is not specified, place data values in local scope. > +- if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n'; > ++ var argument = settings.variable; > ++ if (argument) { > ++ // Insure against third-party code injection. > ++ if (!bareIdentifier.test(argument)) throw new Error( > ++ 'variable is not a bare identifier: ' + argument > ++ ); > ++ } else { > ++ // If a variable is not specified, place data values in local scope. > ++ source = 'with(obj||{}){\n' + source + '}\n'; > ++ argument = 'obj'; > ++ } > + > + source = "var __t,__p='',__j=Array.prototype.join," + > + "print=function(){__p+=__j.call(arguments,'');};\n" + > +@@ -1594,7 +1610,7 @@ > + > + var render; > + try { > +- render = new Function(settings.variable || 'obj', '_', source); > ++ render = new Function(argument, '_', source); > + } catch (e) { > + e.source = source; > + throw e; > +@@ -1605,7 +1621,6 @@ > + }; > + > + // Provide the compiled source as a convenience for precompilation. > +- var argument = settings.variable || 'obj'; > + template.source = 'function(' + argument + '){\n' + source + '}'; > + > + return template; > diff --git a/debian/patches/series b/debian/patches/series > index da362d2..7ddac86 100644 > --- a/debian/patches/series > +++ b/debian/patches/series > @@ -1 +1,2 @@ > 2001_docs_privacy.patch > +CVE-2021-23358.patch > diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358 > new file mode 100755 > index 0000000..a2ae590 > --- /dev/null > +++ b/debian/tests/CVE-2021-23358 > @@ -0,0 +1,11 @@ > +#!/bin/sh > + > +if node debian/tests/CVE-2021-23358.js 2>/dev/null; then > + rm -f HELLO > + echo 'Vulnerable to CVE-2021-23358' >&2 > + exit 1 > +else > + echo > + echo 'Not vulnerable to CVE-2021-23358' > + exit 0 > +fi > diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js > new file mode 100644 > index 0000000..fad7c77 > --- /dev/null > +++ b/debian/tests/CVE-2021-23358.js > @@ -0,0 +1,3 @@ > +const _ = require('underscore'); > +_.templateSettings.variable = "a = > this.process.mainModule.require('child_process').execSync('touch HELLO')"; > +const t = _.template("")(); > diff --git a/debian/tests/control b/debian/tests/control > index 7275831..868aa31 100644 > --- a/debian/tests/control > +++ b/debian/tests/control > @@ -1 +1,7 @@ > Test-Command: node -e "require('underscore');" > +Depends: @ > +Restrictions: superficial > + > +Tests: CVE-2021-23358 > +Depends: @ > +Restrictions: superficial > diff --git a/debian/upstream/metadata b/debian/upstream/metadata > new file mode 100644 > index 0000000..ae91ed7 > --- /dev/null > +++ b/debian/upstream/metadata > @@ -0,0 +1,4 @@ > +Bug-Database: https://github.com/jashkenas/underscore/issues > +Repository: https://github.com/jashkenas/underscore.git > +Repository-Browse: https://github.com/jashkenas/underscore > +Bug-Submit: https://github.com/jashkenas/underscore/issues/new -- Sebastian Ramacher
