Bug#1009345: bullseye-pu: package node-moment/2.29.1+ds-2+deb11u1

Mon, 11 Apr 2022 22:45:22 -0700 

On 12/04/2022 07:42, Salvatore Bonaccorso wrote:

Hi,

On Tue, Apr 12, 2022 at 06:39:35AM +0200, Yadd wrote:

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
node-moment is vulnerable to path traversal (#1009327, CVE-2022-24785)

[ Impact ]
Medium vulnerability

[ Tests ]
No changes in test

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
   [X] *all* changes are documented in the d/changelog
   [X] I reviewed all changes and I approve them
   [X] attach debdiff against the package in (old)stable
   [X] the issue is verified as fixed in unstable

[ Changes ]
Just a new check to prevent names that look like filesystem paths


Looks that the debdiff was missing to the mail.

Regards,
Salvatore


Sorry, here it is.

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index c94c6c1c..d0566a3b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium
+
+  * Avoid loading path-looking locales from fs (Closes: #1009327,
+    CVE-2022-24785)
+
+ -- Yadd <y...@debian.org>  Tue, 12 Apr 2022 06:35:01 +0200
+
 node-moment (2.29.1+ds-2) unstable; urgency=medium
 
   * Install TypeScript typings more correctly.
diff --git a/debian/patches/CVE-2022-24785.patch 
b/debian/patches/CVE-2022-24785.patch
new file mode 100644
index 00000000..84247f69
--- /dev/null
+++ b/debian/patches/CVE-2022-24785.patch
@@ -0,0 +1,33 @@
+Description: Avoid loading path-looking locales from fs
+Author: Iskren Chernev <m...@iskren.info>
+Origin: upstream, https://github.com/moment/moment/commit/4211bfc8
+Bug: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
+Bug-Debian: https://bugs.debian.org/1009327
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-04-12
+
+--- a/src/lib/locale/locales.js
++++ b/src/lib/locale/locales.js
+@@ -62,6 +62,11 @@
+     return globalLocale;
+ }
+ 
++function isLocaleNameSane(name) {
++    // Prevent names that look like filesystem paths, i.e contain '/' or '\'
++    return name.match('^[^/\\\\]*$') != null;
++}
++
+ function loadLocale(name) {
+     var oldLocale = null,
+         aliasedRequire;
+@@ -70,7 +75,8 @@
+         locales[name] === undefined &&
+         typeof module !== 'undefined' &&
+         module &&
+-        module.exports
++        module.exports &&
++        isLocaleNameSane(name)
+     ) {
+         try {
+             oldLocale = globalLocale._abbr;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..b59ca1ed
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-24785.patch

Reply via email to