On 12/04/2022 07:42, Salvatore Bonaccorso wrote:
Hi,
On Tue, Apr 12, 2022 at 06:39:35AM +0200, Yadd wrote:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
node-moment is vulnerable to path traversal (#1009327, CVE-2022-24785)
[ Impact ]
Medium vulnerability
[ Tests ]
No changes in test
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a new check to prevent names that look like filesystem paths
Looks that the debdiff was missing to the mail.
Regards,
Salvatore
Sorry, here it is.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index c94c6c1c..d0566a3b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium
+
+ * Avoid loading path-looking locales from fs (Closes: #1009327,
+ CVE-2022-24785)
+
+ -- Yadd <y...@debian.org> Tue, 12 Apr 2022 06:35:01 +0200
+
node-moment (2.29.1+ds-2) unstable; urgency=medium
* Install TypeScript typings more correctly.
diff --git a/debian/patches/CVE-2022-24785.patch
b/debian/patches/CVE-2022-24785.patch
new file mode 100644
index 00000000..84247f69
--- /dev/null
+++ b/debian/patches/CVE-2022-24785.patch
@@ -0,0 +1,33 @@
+Description: Avoid loading path-looking locales from fs
+Author: Iskren Chernev <m...@iskren.info>
+Origin: upstream, https://github.com/moment/moment/commit/4211bfc8
+Bug: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
+Bug-Debian: https://bugs.debian.org/1009327
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-04-12
+
+--- a/src/lib/locale/locales.js
++++ b/src/lib/locale/locales.js
+@@ -62,6 +62,11 @@
+ return globalLocale;
+ }
+
++function isLocaleNameSane(name) {
++ // Prevent names that look like filesystem paths, i.e contain '/' or '\'
++ return name.match('^[^/\\\\]*$') != null;
++}
++
+ function loadLocale(name) {
+ var oldLocale = null,
+ aliasedRequire;
+@@ -70,7 +75,8 @@
+ locales[name] === undefined &&
+ typeof module !== 'undefined' &&
+ module &&
+- module.exports
++ module.exports &&
++ isLocaleNameSane(name)
+ ) {
+ try {
+ oldLocale = globalLocale._abbr;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..b59ca1ed
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-24785.patch