Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
grunt is vulnerable to a medium CVE (CVE-2020-7729, #969668)
[ Impact ]
The package grunt before 1.3.0 are vulnerable to Arbitrary Code
Execution due to the default usage of the function load() instead of
its secure replacement safeLoad() of the package js-yaml inside
grunt.file.readYAML.
[ Tests ]
Patch contains new upstream test. autopkgtest is OK
[ Risks ]
Low risk: the patch just adds some checks
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Upstream patch is imported without changes. It adds some checks during
YAML file read and a little test.
[ Other info ]
Thanks for your work!
diff --git a/debian/changelog b/debian/changelog
index eaf56cc..f15438c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+grunt (1.0.1-8+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Use `safeLoad` for loading YML files via `file.readYAML`
+(Closes: #969668, CVE-2020-7729)
+
+ -- Xavier Guimard Sun, 06 Sep 2020 23:41:10 +0200
+
grunt (1.0.1-8) unstable; urgency=medium
[ Harish K ]
diff --git a/debian/patches/CVE-2020-7729.patch
b/debian/patches/CVE-2020-7729.patch
new file mode 100644
index 000..64bed12
--- /dev/null
+++ b/debian/patches/CVE-2020-7729.patch
@@ -0,0 +1,53 @@
+Description: Switch to use `safeLoad` for loading YML files via
`file.readYAML`.
+Author: Vlad Filippov
+Origin: upstream, https://github.com/gruntjs/grunt/commit/e350cea1
+Bug: https://snyk.io/vuln/SNYK-JS-GRUNT-597546
+Bug-Debian: https://bugs.debian.org/969668
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2020-09-06
+
+--- a/lib/grunt/file.js
b/lib/grunt/file.js
+@@ -252,12 +252,21 @@
+ };
+
+ // Read a YAML file, parse its contents, return an object.
+-file.readYAML = function(filepath, options) {
++file.readYAML = function(filepath, options, yamlOptions) {
++ if (!options) { options = {}; }
++ if (!yamlOptions) { yamlOptions = {}; }
++
+ var src = file.read(filepath, options);
+ var result;
+ grunt.verbose.write('Parsing ' + filepath + '...');
+ try {
+-result = YAML.load(src);
++// use the recommended way of reading YAML files
++// https://github.com/nodeca/js-yaml#safeload-string---options-
++if (yamlOptions.unsafeLoad) {
++ result = YAML.load(src);
++} else {
++ result = YAML.safeLoad(src);
++}
+ grunt.verbose.ok();
+ return result;
+ } catch (e) {
+--- a/test/grunt/file_test.js
b/test/grunt/file_test.js
+@@ -452,10 +452,13 @@
+ test.done();
+ },
+ 'readYAML': function(test) {
+-test.expect(3);
++test.expect(4);
+ var obj;
+ obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+-test.deepEqual(obj, this.object, 'file should be read as utf8 by default
and parsed correctly.');
++test.deepEqual(obj, this.object, 'file should be safely read as utf8 by
default and parsed correctly.');
++
++obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad:
true});
++test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by
default and parsed correctly.');
+
+ obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding:
'iso-8859-1'});
+ test.deepEqual(obj, this.object, 'file should be read using the specified
encoding.');
diff --git a/debian/patches/series b/debian/patches/series
index fcd76bd..a874060 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
add-root-variable.patch
reproducible-build.patch
adapt-gruntfile.patch
+CVE-2020-7729.patch