Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-webp...@packages.debian.org
Control: affects -1 + src:node-webpack
[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).
[ Impact ]
Medium security issue
[ Tests ]
Test updated, passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd Mon, 29 May 2023 07:53:16 +0400
+
node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-28154.patch
b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index ..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+ if (importOptions.webpackInclude !== undefined)
{
+ if (
+ !importOptions.webpackInclude ||
+-
importOptions.webpackInclude.constructor.name !== "RegExp"
++ !(importOptions.webpackInclude
instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new
UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+ )
+ );
+ } else {
+- include = new
RegExp(importOptions.webpackInclude);
++ include =
importOptions.webpackInclude;
+ }
+ }
+ if (importOptions.webpackExclude !== undefined)
{
+ if (
+ !importOptions.webpackExclude ||
+-
importOptions.webpackExclude.constructor.name !== "RegExp"
++ !(importOptions.webpackExclude
instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new
UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+ )
+ );
+ } else {
+- exclude = new
RegExp(importOptions.webpackExclude);
++ exclude =
importOptions.webpackExclude;
+ }
+ }
+ if (importOptions.webpackExports !== undefined)
{
+--- a/lib/javascript/JavascriptParser.js
b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+ return EMPTY_COMMENT_OPTIONS;
+ }
+ let options = {};
++ /** @type {unknown[]} */
+ let errors = [];
+ for (const comment of comments) {
+ const { value } = comment;
+ if (value && webpackCommentRegExp.test(value)) {
+ // try compile only if webpack options comment
is present
+ try {
+- const val =
vm.runInNewContext(`(function(){return {${value}};})()`);
+- Object.assign(options, val);
++ for (let [key, val] of Object.entries(
++
vm.runInNewContext(`(function(){return {${value}};})()`)
++ )) {
++