Bug#986175: unblock: underscore/1.9.1~dfsg-2
Control: tags -1 - moreinfo Le 31/03/2021 à 09:52, Sebastian Ramacher a écrit : > Control: tags -1 moreinfo > > On 2021-03-30 22:49:43, Yadd wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org >> >> Please unblock package underscore >> >> [ Reason ] >> underscore is vulnerable to arbitrary code execution (#986171, >> CVE-2021-23358) >> >> [ Impact ] >> CVE provided a PoC to prove arbitrary code execution >> >> [ Tests ] >> I added a test to prove that bug is fixed (based on PoC). Test fails >> with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2 >> >> [ Risks ] >> Patch is trivial. Note: I imported also Janitor changes: this breaks >> nothing > > The patch looks fine, but please upload a version without the janitor > changes. It's too late for those changes and they can wait for bookworm. > > Cheers Hi, thanks, done in version 1.9.1~dfsg-3 Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 02cd807..3936261 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,33 @@ +underscore (1.9.1~dfsg-3) unstable; urgency=medium + + * Team upload + * Revert Janitor changes as required by release team (#986175) + + -- Yadd Wed, 31 Mar 2021 14:21:21 +0200 + +underscore (1.9.1~dfsg-2) unstable; urgency=medium + + * Team upload + + [ Debian Janitor ] + * Bump debhelper dependency to >= 9, since that's what is used in +debian/compat. + * Bump debhelper from old 9 to 12. + * Set debhelper-compat version in Build-Depends. + * Set upstream metadata fields: Bug-Database, Repository, Repository- +Browse. + * Update standards version to 4.4.1, no changes needed. + * Set upstream metadata fields: Bug-Submit. + * Update standards version to 4.5.0, no changes needed. + * Apply multi-arch hints. ++ node-underscore: Add Multi-Arch: foreign. + + [ Yadd ] + * Mark autopkgtest as superficial + * Fix arbitrary code execution and add a test (Closes: #986171) + + -- Yadd Tue, 30 Mar 2021 22:40:59 +0200 + underscore (1.9.1~dfsg-1) unstable; urgency=medium [ upstream ] diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch new file mode 100644 index 000..2ba4118 --- /dev/null +++ b/debian/patches/CVE-2021-23358.patch @@ -0,0 +1,62 @@ +Description: fix arbitrary code execution +Author: Julian Gonggrijp +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 +Bug-Debian: https://bugs.debian.org/986171 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2021-03-30 + +--- a/underscore.js b/underscore.js +@@ -1550,6 +1550,13 @@ + return '\\' + escapes[match]; + }; + ++ // In order to prevent third-party code injection through ++ // `_.templateSettings.variable`, we test it against the following regular ++ // expression. It is intentionally a bit more liberal than just matching valid ++ // identifiers, but still prevents possible loopholes through defaults or ++ // destructuring assignment. ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/; ++ + // JavaScript micro-templating, similar to John Resig's implementation. + // Underscore templating handles arbitrary delimiters, preserves whitespace, + // and correctly escapes quotes within interpolated code. +@@ -1585,8 +1592,17 @@ + }); + source += "';\n"; + +-// If a variable is not specified, place data values in local scope. +-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n'; ++var argument = settings.variable; ++if (argument) { ++ // Insure against third-party code injection. ++ if (!bareIdentifier.test(argument)) throw new Error( ++'variable is not a bare identifier: ' + argument ++ ); ++} else { ++ // If a variable is not specified, place data values in local scope. ++ source = 'with(obj||{}){\n' + source + '}\n'; ++ argument = 'obj'; ++} + + source = "var __t,__p='',__j=Array.prototype.join," + + "print=function(){__p+=__j.call(arguments,'');};\n" + +@@ -1594,7 +1610,7 @@ + + var render; + try { +- render = new Function(settings.variable || 'obj', '_', source); ++ render = new Function(argument, '_', source); + } catch (e) { + e.source = source; + throw e; +@@ -1605,7 +1621,6 @@ + }; + + // Provide the compiled source as a convenience for precompilation. +-var argument = settings.variable || 'obj'; + template.source = 'function(' + argument + '){\n' + source + '}'; + + return template; diff --git a/debian/patches/series b/debian/patches/series index da362d2..7ddac86 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 2001_docs_privacy.patch +CVE-2021-23358.patch diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358 new file mode 100755 index 000..a2ae590
Bug#986175: unblock: underscore/1.9.1~dfsg-2
Control: tags -1 moreinfo On 2021-03-30 22:49:43, Yadd wrote: > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org > > Please unblock package underscore > > [ Reason ] > underscore is vulnerable to arbitrary code execution (#986171, > CVE-2021-23358) > > [ Impact ] > CVE provided a PoC to prove arbitrary code execution > > [ Tests ] > I added a test to prove that bug is fixed (based on PoC). Test fails > with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2 > > [ Risks ] > Patch is trivial. Note: I imported also Janitor changes: this breaks > nothing The patch looks fine, but please upload a version without the janitor changes. It's too late for those changes and they can wait for bookworm. Cheers > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > [ Other ] > I downgrade autopkgtest to "superficial" since nothing was really tested > (just a node "require"). That's why I'm filing this ;-) > > Regards, > Yadd > > unblock underscore/1.9.1~dfsg-2 > diff --git a/debian/changelog b/debian/changelog > index 02cd807..fed9aa8 100644 > --- a/debian/changelog > +++ b/debian/changelog > @@ -1,3 +1,26 @@ > +underscore (1.9.1~dfsg-2) unstable; urgency=medium > + > + * Team upload > + > + [ Debian Janitor ] > + * Bump debhelper dependency to >= 9, since that's what is used in > +debian/compat. > + * Bump debhelper from old 9 to 12. > + * Set debhelper-compat version in Build-Depends. > + * Set upstream metadata fields: Bug-Database, Repository, Repository- > +Browse. > + * Update standards version to 4.4.1, no changes needed. > + * Set upstream metadata fields: Bug-Submit. > + * Update standards version to 4.5.0, no changes needed. > + * Apply multi-arch hints. > ++ node-underscore: Add Multi-Arch: foreign. > + > + [ Yadd ] > + * Mark autopkgtest as superficial > + * Fix arbitrary code execution and add a test (Closes: #986171) > + > + -- Yadd Tue, 30 Mar 2021 22:40:59 +0200 > + > underscore (1.9.1~dfsg-1) unstable; urgency=medium > >[ upstream ] > diff --git a/debian/compat b/debian/compat > deleted file mode 100644 > index ec63514..000 > --- a/debian/compat > +++ /dev/null > @@ -1 +0,0 @@ > -9 > diff --git a/debian/control b/debian/control > index cb1e7e9..fc1d26b 100644 > --- a/debian/control > +++ b/debian/control > @@ -7,11 +7,11 @@ Uploaders: > David Paleino , > Build-Depends: > brotli, > - debhelper, > + debhelper-compat (= 12), > node-source-map, > pigz, > uglifyjs (>= 3), > -Standards-Version: 4.3.0 > +Standards-Version: 4.5.0 > Homepage: https://underscorejs.org/ > Vcs-Browser: https://salsa.debian.org/js-team/underscore > Vcs-Git: https://salsa.debian.org/js-team/underscore.git > @@ -44,6 +44,7 @@ Depends: > libjs-underscore, > nodejs, > ${misc:Depends}, > +Multi-Arch: foreign > Description: JavaScript's functional programming helper library - NodeJS > Underscore is a utility-belt library for JavaScript that provides a lot > of the functional programming support that you would expect in > diff --git a/debian/patches/CVE-2021-23358.patch > b/debian/patches/CVE-2021-23358.patch > new file mode 100644 > index 000..2ba4118 > --- /dev/null > +++ b/debian/patches/CVE-2021-23358.patch > @@ -0,0 +1,62 @@ > +Description: fix arbitrary code execution > +Author: Julian Gonggrijp > +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d > +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 > +Bug-Debian: https://bugs.debian.org/986171 > +Forwarded: not-needed > +Reviewed-By: Xavier Guimard > +Last-Update: 2021-03-30 > + > +--- a/underscore.js > b/underscore.js > +@@ -1550,6 +1550,13 @@ > + return '\\' + escapes[match]; > + }; > + > ++ // In order to prevent third-party code injection through > ++ // `_.templateSettings.variable`, we test it against the following regular > ++ // expression. It is intentionally a bit more liberal than just matching > valid > ++ // identifiers, but still prevents possible loopholes through defaults or > ++ // destructuring assignment. > ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/; > ++ > + // JavaScript micro-templating, similar to John Resig's implementation. > + // Underscore templating handles arbitrary delimiters, preserves > whitespace, > + // and correctly escapes quotes within interpolated code. > +@@ -1585,8 +1592,17 @@ > + }); > + source += "';\n"; > + > +-// If a variable is not specified, place data values in local scope. > +-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n'; > ++var argument = settings.variable; > ++if (argument) { > ++ // Insure against third-party code injection. > ++ if (!bareIdentifier.test(argument)) throw new Error( > ++
Bug#986175: unblock: underscore/1.9.1~dfsg-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Please unblock package underscore [ Reason ] underscore is vulnerable to arbitrary code execution (#986171, CVE-2021-23358) [ Impact ] CVE provided a PoC to prove arbitrary code execution [ Tests ] I added a test to prove that bug is fixed (based on PoC). Test fails with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2 [ Risks ] Patch is trivial. Note: I imported also Janitor changes: this breaks nothing [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other ] I downgrade autopkgtest to "superficial" since nothing was really tested (just a node "require"). That's why I'm filing this ;-) Regards, Yadd unblock underscore/1.9.1~dfsg-2 diff --git a/debian/changelog b/debian/changelog index 02cd807..fed9aa8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,26 @@ +underscore (1.9.1~dfsg-2) unstable; urgency=medium + + * Team upload + + [ Debian Janitor ] + * Bump debhelper dependency to >= 9, since that's what is used in +debian/compat. + * Bump debhelper from old 9 to 12. + * Set debhelper-compat version in Build-Depends. + * Set upstream metadata fields: Bug-Database, Repository, Repository- +Browse. + * Update standards version to 4.4.1, no changes needed. + * Set upstream metadata fields: Bug-Submit. + * Update standards version to 4.5.0, no changes needed. + * Apply multi-arch hints. ++ node-underscore: Add Multi-Arch: foreign. + + [ Yadd ] + * Mark autopkgtest as superficial + * Fix arbitrary code execution and add a test (Closes: #986171) + + -- Yadd Tue, 30 Mar 2021 22:40:59 +0200 + underscore (1.9.1~dfsg-1) unstable; urgency=medium [ upstream ] diff --git a/debian/compat b/debian/compat deleted file mode 100644 index ec63514..000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -9 diff --git a/debian/control b/debian/control index cb1e7e9..fc1d26b 100644 --- a/debian/control +++ b/debian/control @@ -7,11 +7,11 @@ Uploaders: David Paleino , Build-Depends: brotli, - debhelper, + debhelper-compat (= 12), node-source-map, pigz, uglifyjs (>= 3), -Standards-Version: 4.3.0 +Standards-Version: 4.5.0 Homepage: https://underscorejs.org/ Vcs-Browser: https://salsa.debian.org/js-team/underscore Vcs-Git: https://salsa.debian.org/js-team/underscore.git @@ -44,6 +44,7 @@ Depends: libjs-underscore, nodejs, ${misc:Depends}, +Multi-Arch: foreign Description: JavaScript's functional programming helper library - NodeJS Underscore is a utility-belt library for JavaScript that provides a lot of the functional programming support that you would expect in diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch new file mode 100644 index 000..2ba4118 --- /dev/null +++ b/debian/patches/CVE-2021-23358.patch @@ -0,0 +1,62 @@ +Description: fix arbitrary code execution +Author: Julian Gonggrijp +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 +Bug-Debian: https://bugs.debian.org/986171 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2021-03-30 + +--- a/underscore.js b/underscore.js +@@ -1550,6 +1550,13 @@ + return '\\' + escapes[match]; + }; + ++ // In order to prevent third-party code injection through ++ // `_.templateSettings.variable`, we test it against the following regular ++ // expression. It is intentionally a bit more liberal than just matching valid ++ // identifiers, but still prevents possible loopholes through defaults or ++ // destructuring assignment. ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/; ++ + // JavaScript micro-templating, similar to John Resig's implementation. + // Underscore templating handles arbitrary delimiters, preserves whitespace, + // and correctly escapes quotes within interpolated code. +@@ -1585,8 +1592,17 @@ + }); + source += "';\n"; + +-// If a variable is not specified, place data values in local scope. +-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n'; ++var argument = settings.variable; ++if (argument) { ++ // Insure against third-party code injection. ++ if (!bareIdentifier.test(argument)) throw new Error( ++'variable is not a bare identifier: ' + argument ++ ); ++} else { ++ // If a variable is not specified, place data values in local scope. ++ source = 'with(obj||{}){\n' + source + '}\n'; ++ argument = 'obj'; ++} + + source = "var __t,__p='',__j=Array.prototype.join," + + "print=function(){__p+=__j.call(arguments,'');};\n" + +@@ -1594,7 +1610,7 @@ + + var render; + try { +- render = new Function(settings.variable || 'obj', '_', source); ++ render = new