Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Control: tags -1 -pending +confirmed On Mon, 2020-05-04 at 22:02 +0200, Xavier wrote: > Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit : > > Hi, > > > > let me reply before adsb has a chance ;) > > > > On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote: > > > Finally I found a way to fix CVE and keep autopkgtest OK > > > (node-markdown-it-html5-embed). Here is a debdiff for a future > > > point release > > > > This is good, however, > > > > > diff --git a/debian/changelog b/debian/changelog > > > index b985661..64df8db 100644 > > > --- a/debian/changelog > > > +++ b/debian/changelog > > > @@ -1,3 +1,11 @@ > > > +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium > > > + > > > + * Team upload > > > + * Disallow calling "helperMissing" and "blockHelperMissing" > > > directly > > > +(Closes: CVE-2019-19919) > > > + > > > + -- Xavier Guimard Mon, 04 May 2020 14:21:11 > > > +0200 > > > > By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, > > and > > it can't really be removed from there and replaced by a same- > > versined > > pacakge. > > > > Please prepare a +deb10u2 version, and post here a debdiff against > > the > > already uploaded +deb10u1 one. > > Is it good so ? Sorry for the delay. Please feel free to go ahead. Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit : > Hi, > > let me reply before adsb has a chance ;) > > On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote: >> Finally I found a way to fix CVE and keep autopkgtest OK >> (node-markdown-it-html5-embed). Here is a debdiff for a future point release > > This is good, however, > >> diff --git a/debian/changelog b/debian/changelog >> index b985661..64df8db 100644 >> --- a/debian/changelog >> +++ b/debian/changelog >> @@ -1,3 +1,11 @@ >> +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium >> + >> + * Team upload >> + * Disallow calling "helperMissing" and "blockHelperMissing" directly >> +(Closes: CVE-2019-19919) >> + >> + -- Xavier Guimard Mon, 04 May 2020 14:21:11 +0200 > > By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, and > it can't really be removed from there and replaced by a same-versined > pacakge. > > Please prepare a +deb10u2 version, and post here a debdiff against the > already uploaded +deb10u1 one. Is it good so ? diff --git a/debian/changelog b/debian/changelog index 95811b9..e49c409 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-handlebars (3:4.1.0-1+deb10u2) buster; urgency=medium + + * Fix regression introduced in 3:4.1.0-1+deb10u1 + + -- Xavier Guimard Mon, 04 May 2020 22:01:16 +0200 + node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium * Team upload diff --git a/debian/patches/CVE-2019-19919.patch b/debian/patches/CVE-2019-19919.patch index f63f106..d34e77a 100644 --- a/debian/patches/CVE-2019-19919.patch +++ b/debian/patches/CVE-2019-19919.patch @@ -75,6 +75,21 @@ Last-Update: 2019-12-30 ); } +--- a/lib/handlebars/helpers.js b/lib/handlebars/helpers.js +@@ -15,3 +15,12 @@ + registerLookup(instance); + registerWith(instance); + } ++ ++export function moveHelperToHooks(instance, helperName, keepHelper) { ++ if (instance.helpers[helperName]) { ++instance.hooks[helperName] = instance.helpers[helperName]; ++if (!keepHelper) { ++ delete instance.helpers[helperName]; ++} ++ } ++} --- a/lib/handlebars/runtime.js +++ b/lib/handlebars/runtime.js @@ -1,6 +1,7 @@
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Hi, let me reply before adsb has a chance ;) On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote: > Finally I found a way to fix CVE and keep autopkgtest OK > (node-markdown-it-html5-embed). Here is a debdiff for a future point release This is good, however, > diff --git a/debian/changelog b/debian/changelog > index b985661..64df8db 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,11 @@ > +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium > + > + * Team upload > + * Disallow calling "helperMissing" and "blockHelperMissing" directly > +(Closes: CVE-2019-19919) > + > + -- Xavier Guimard Mon, 04 May 2020 14:21:11 +0200 By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, and it can't really be removed from there and replaced by a same-versined pacakge. Please prepare a +deb10u2 version, and post here a debdiff against the already uploaded +deb10u1 one. -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `- signature.asc Description: PGP signature
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 04/05/2020 à 11:54, Adam D. Barratt a écrit : > On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote: >> Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : >>> On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: Hi Xavier, On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : >> On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: >> This apparently causes regressions in the autopkgtests of >> node- >> markdown-it-html5-embed, which you also most recently >> uploaded - >> see >> https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 >> >> Is this enough of an issue to not include the node-handlebars >> update? >> >> Regards, >> >> Adam > > Hi, > > then please defer node-handlebars update until I understand > what > happens. Did you figure this out in the mean time? The next point release is going to happen on 9 May 2020, so it would be good to know if the package can be included. >>> >>> Ping? >>> >>> Regards, >>> >>> Adam >> >> Hi, >> >> Sorry for the delay. >> >> handlebar patch is based on some other commits, its test succeeds but >> renders it unusable as shown by node-markdown-it-html5-embed >> regression. >> I've to pick some other commits... > > Thanks for getting back to us. > > The window for getting fixes into 10.4 closed yesterday, so I guess > we'll be excluding node-handlebars again? > > Regards, > > Adam Finally I found a way to fix CVE and keep autopkgtest OK (node-markdown-it-html5-embed). Here is a debdiff for a future point release Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index b985661..64df8db 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium + + * Team upload + * Disallow calling "helperMissing" and "blockHelperMissing" directly +(Closes: CVE-2019-19919) + + -- Xavier Guimard Mon, 04 May 2020 14:21:11 +0200 + node-handlebars (3:4.1.0-1) unstable; urgency=medium * New upstream version 4.1.0 (Closes: #923042) diff --git a/debian/patches/CVE-2019-19919.patch b/debian/patches/CVE-2019-19919.patch new file mode 100644 index 000..d34e77a --- /dev/null +++ b/debian/patches/CVE-2019-19919.patch @@ -0,0 +1,228 @@ +Description: Disallow calling "helperMissing" and "blockHelperMissing" directly + Fix for CVE-2019-19919 +Author: Nils Knappmeier +Origin: upstream, https://github.com/wycats/handlebars.js/commit/2078c72 +Bug: https://github.com/wycats/handlebars.js/issues/1558 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-12-30 + +--- a/lib/handlebars/compiler/javascript-compiler.js b/lib/handlebars/compiler/javascript-compiler.js +@@ -311,7 +311,7 @@ + // replace it on the stack with the result of properly + // invoking blockHelperMissing. + blockValue: function(name) { +-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'), ++let blockHelperMissing = this.aliasable('container.hooks.blockHelperMissing'), + params = [this.contextName(0)]; + this.setupHelperArgs(name, 0, params); + +@@ -329,7 +329,7 @@ + // On stack, after, if lastHelper: value + ambiguousBlockValue: function() { + // We're being a bit cheeky and reusing the options value from the prior exec +-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'), ++let blockHelperMissing = this.aliasable('container.hooks.blockHelperMissing'), + params = [this.contextName(0)]; + this.setupHelperArgs('', 0, params, true); + +@@ -622,18 +622,31 @@ + // If the helper is not found, `helperMissing` is called. + invokeHelper: function(paramSize, name, isSimple) { + let nonHelper = this.popStack(), +-helper = this.setupHelper(paramSize, name), +-simple = isSimple ? [helper.name, ' || '] : ''; ++helper = this.setupHelper(paramSize, name); + +-let lookup = ['('].concat(simple, nonHelper); ++let possibleFunctionCalls = []; ++ ++if (isSimple) { // direct call to helper ++ possibleFunctionCalls.push(helper.name); ++} ++// call a function from the input object ++possibleFunctionCalls.push(nonHelper); + if (!this.options.strict) { +- lookup.push(' || ', this.aliasable('helpers.helperMissing')); ++ possibleFunctionCalls.push(this.aliasable('container.hooks.helperMissing')); + } +-lookup.push(')'); +- +-this.push(this.source.functionCall(lookup, 'call', helper.callParams)); ++let functionLookupCode = ['(', this.itemsSeparatedBy(possibleFunctionCalls, '||'), ')']; ++let functionCall = this.source.functionCall(functionLookupCode, 'call', helper.callParams); ++this.push(functionCall); + }, + ++ itemsSeparatedBy: function(items, separator) { ++let result = []; ++result.push(items[0]); ++f
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 04/05/2020 à 11:54, Adam D. Barratt a écrit : > On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote: >> Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : >>> On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: Hi Xavier, On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : >> On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: >> This apparently causes regressions in the autopkgtests of >> node- >> markdown-it-html5-embed, which you also most recently >> uploaded - >> see >> https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 >> >> Is this enough of an issue to not include the node-handlebars >> update? >> >> Regards, >> >> Adam > > Hi, > > then please defer node-handlebars update until I understand > what > happens. Did you figure this out in the mean time? The next point release is going to happen on 9 May 2020, so it would be good to know if the package can be included. >>> >>> Ping? >>> >>> Regards, >>> >>> Adam >> >> Hi, >> >> Sorry for the delay. >> >> handlebar patch is based on some other commits, its test succeeds but >> renders it unusable as shown by node-markdown-it-html5-embed >> regression. >> I've to pick some other commits... > > Thanks for getting back to us. > > The window for getting fixes into 10.4 closed yesterday, so I guess > we'll be excluding node-handlebars again? Yes, I've not enough time to fix this Cheers, Xavier
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
On Mon, 2020-05-04 at 11:36 +0200, Xavier wrote: > Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : > > On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: > > > Hi Xavier, > > > > > > On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > > > > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > > > > > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > > > > > This apparently causes regressions in the autopkgtests of > > > > > node- > > > > > markdown-it-html5-embed, which you also most recently > > > > > uploaded - > > > > > see > > > > > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > > > > > > > > > Is this enough of an issue to not include the node-handlebars > > > > > update? > > > > > > > > > > Regards, > > > > > > > > > > Adam > > > > > > > > Hi, > > > > > > > > then please defer node-handlebars update until I understand > > > > what > > > > happens. > > > > > > Did you figure this out in the mean time? The next point release > > > is > > > going to happen on 9 May 2020, so it would be good to know if the > > > package can be included. > > > > Ping? > > > > Regards, > > > > Adam > > Hi, > > Sorry for the delay. > > handlebar patch is based on some other commits, its test succeeds but > renders it unusable as shown by node-markdown-it-html5-embed > regression. > I've to pick some other commits... Thanks for getting back to us. The window for getting fixes into 10.4 closed yesterday, so I guess we'll be excluding node-handlebars again? Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 02/05/2020 à 11:58, Adam D. Barratt a écrit : > On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: >> Hi Xavier, >> >> On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: >>> Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: This apparently causes regressions in the autopkgtests of node- markdown-it-html5-embed, which you also most recently uploaded - see https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 Is this enough of an issue to not include the node-handlebars update? Regards, Adam >>> >>> Hi, >>> >>> then please defer node-handlebars update until I understand what >>> happens. >> >> Did you figure this out in the mean time? The next point release is >> going to happen on 9 May 2020, so it would be good to know if the >> package can be included. > > Ping? > > Regards, > > Adam Hi, Sorry for the delay. handlebar patch is based on some other commits, its test succeeds but renders it unusable as shown by node-markdown-it-html5-embed regression. I've to pick some other commits...
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
On Sat, 2020-04-25 at 21:30 +0200, Paul Gevers wrote: > Hi Xavier, > > On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > > > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > > > This apparently causes regressions in the autopkgtests of node- > > > markdown-it-html5-embed, which you also most recently uploaded - > > > see > > > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > > > > > Is this enough of an issue to not include the node-handlebars > > > update? > > > > > > Regards, > > > > > > Adam > > > > Hi, > > > > then please defer node-handlebars update until I understand what > > happens. > > Did you figure this out in the mean time? The next point release is > going to happen on 9 May 2020, so it would be good to know if the > package can be included. Ping? Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Hi Xavier, On Sat, 8 Feb 2020 08:23:25 +0100 Xavier wrote: > Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > > This apparently causes regressions in the autopkgtests of node- > > markdown-it-html5-embed, which you also most recently uploaded - see > > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > > > Is this enough of an issue to not include the node-handlebars update? > > > > Regards, > > > > Adam > > Hi, > > then please defer node-handlebars update until I understand what happens. Did you figure this out in the mean time? The next point release is going to happen on 9 May 2020, so it would be good to know if the package can be included. Paul
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Le 07/02/2020 à 20:16, Adam D. Barratt a écrit : > On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: >> Control: tags -1 + confirmed >> >> On Mon, 2019-12-30 at 07:51 +0100, Xavier Guimard wrote: >>> node-handlebars is vulnearable to prototype pollution (CVE-2019- >>> 19919). >>> >> >> Please go ahead. > > This apparently causes regressions in the autopkgtests of node- > markdown-it-html5-embed, which you also most recently uploaded - see > https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 > > Is this enough of an issue to not include the node-handlebars update? > > Regards, > > Adam Hi, then please defer node-handlebars update until I understand what happens. Cheers, Xavier
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
On Sat, 2020-01-25 at 20:40 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2019-12-30 at 07:51 +0100, Xavier Guimard wrote: > > node-handlebars is vulnearable to prototype pollution (CVE-2019- > > 19919). > > > > Please go ahead. This apparently causes regressions in the autopkgtests of node- markdown-it-html5-embed, which you also most recently uploaded - see https://ci.debian.net/user/britney/jobs?package=node-markdown-it-html5-embed&suite[]=stable&arch[]=amd64 Is this enough of an issue to not include the node-handlebars update? Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Control: tags -1 + confirmed On Mon, 2019-12-30 at 07:51 +0100, Xavier Guimard wrote: > node-handlebars is vulnearable to prototype pollution (CVE-2019- > 19919). > Please go ahead. Regards, Adam
Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-handlebars is vulnearable to prototype pollution (CVE-2019-19919). This patch is exactly the one of upstream. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index b985661..95811b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium + + * Team upload + * Disallow calling "helperMissing" and "blockHelperMissing" directly +(Closes: CVE-2019-19919) + + -- Xavier Guimard Mon, 30 Dec 2019 07:46:39 +0100 + node-handlebars (3:4.1.0-1) unstable; urgency=medium * New upstream version 4.1.0 (Closes: #923042) diff --git a/debian/patches/CVE-2019-19919.patch b/debian/patches/CVE-2019-19919.patch new file mode 100644 index 000..f63f106 --- /dev/null +++ b/debian/patches/CVE-2019-19919.patch @@ -0,0 +1,213 @@ +Description: Disallow calling "helperMissing" and "blockHelperMissing" directly + Fix for CVE-2019-19919 +Author: Nils Knappmeier +Origin: upstream, https://github.com/wycats/handlebars.js/commit/2078c72 +Bug: https://github.com/wycats/handlebars.js/issues/1558 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-12-30 + +--- a/lib/handlebars/compiler/javascript-compiler.js b/lib/handlebars/compiler/javascript-compiler.js +@@ -311,7 +311,7 @@ + // replace it on the stack with the result of properly + // invoking blockHelperMissing. + blockValue: function(name) { +-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'), ++let blockHelperMissing = this.aliasable('container.hooks.blockHelperMissing'), + params = [this.contextName(0)]; + this.setupHelperArgs(name, 0, params); + +@@ -329,7 +329,7 @@ + // On stack, after, if lastHelper: value + ambiguousBlockValue: function() { + // We're being a bit cheeky and reusing the options value from the prior exec +-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'), ++let blockHelperMissing = this.aliasable('container.hooks.blockHelperMissing'), + params = [this.contextName(0)]; + this.setupHelperArgs('', 0, params, true); + +@@ -622,18 +622,31 @@ + // If the helper is not found, `helperMissing` is called. + invokeHelper: function(paramSize, name, isSimple) { + let nonHelper = this.popStack(), +-helper = this.setupHelper(paramSize, name), +-simple = isSimple ? [helper.name, ' || '] : ''; ++helper = this.setupHelper(paramSize, name); + +-let lookup = ['('].concat(simple, nonHelper); ++let possibleFunctionCalls = []; ++ ++if (isSimple) { // direct call to helper ++ possibleFunctionCalls.push(helper.name); ++} ++// call a function from the input object ++possibleFunctionCalls.push(nonHelper); + if (!this.options.strict) { +- lookup.push(' || ', this.aliasable('helpers.helperMissing')); ++ possibleFunctionCalls.push(this.aliasable('container.hooks.helperMissing')); + } +-lookup.push(')'); +- +-this.push(this.source.functionCall(lookup, 'call', helper.callParams)); ++let functionLookupCode = ['(', this.itemsSeparatedBy(possibleFunctionCalls, '||'), ')']; ++let functionCall = this.source.functionCall(functionLookupCode, 'call', helper.callParams); ++this.push(functionCall); + }, + ++ itemsSeparatedBy: function(items, separator) { ++let result = []; ++result.push(items[0]); ++for (let i = 1; i < items.length; i++) { ++ result.push(separator, items[i]); ++} ++return result; ++ }, + // [invokeKnownHelper] + // + // On stack, before: hash, inverse, program, params..., ... +@@ -673,7 +686,7 @@ + lookup[0] = '(helper = '; + lookup.push( + ' != null ? helper : ', +-this.aliasable('helpers.helperMissing') ++this.aliasable('container.hooks.helperMissing') + ); + } + +--- a/lib/handlebars/runtime.js b/lib/handlebars/runtime.js +@@ -1,6 +1,7 @@ + import * as Utils from './utils'; + import Exception from './exception'; +-import { COMPILER_REVISION, REVISION_CHANGES, createFrame } from './base'; ++import {COMPILER_REVISION, createFrame, REVISION_CHANGES} from './base'; ++import {moveHelperToHooks} from './helpers'; + + export function checkRevision(compilerInfo) { + const compilerRevision = compilerInfo && compilerInfo[0] || 1, +@@ -44,11 +45,14 @@ + } + + partial = env.VM.resolvePartial.call(this, partial, context, options); +-let result = env.VM.invokePartial.call(this, partial, context, options); ++ ++let optionsWithHooks = Utils.extend({}, options, {hooks: this.hooks}); ++ ++let result = env.VM.invokePartial.call(this, partial, context, optionsWithHooks); + + if (result == null && env.compile) { + options.partials[options.name] = env.compile(partial, templateSpec.compilerOptions, env); +- result = options.parti