Bug#986175: unblock: underscore/1.9.1~dfsg-2
Control: tags -1 - moreinfo
Le 31/03/2021 à 09:52, Sebastian Ramacher a écrit :
> Control: tags -1 moreinfo
>
> On 2021-03-30 22:49:43, Yadd wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: unblock
>> X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
>>
>> Please unblock package underscore
>>
>> [ Reason ]
>> underscore is vulnerable to arbitrary code execution (#986171,
>> CVE-2021-23358)
>>
>> [ Impact ]
>> CVE provided a PoC to prove arbitrary code execution
>>
>> [ Tests ]
>> I added a test to prove that bug is fixed (based on PoC). Test fails
>> with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2
>>
>> [ Risks ]
>> Patch is trivial. Note: I imported also Janitor changes: this breaks
>> nothing
>
> The patch looks fine, but please upload a version without the janitor
> changes. It's too late for those changes and they can wait for bookworm.
>
> Cheers
Hi,
thanks, done in version 1.9.1~dfsg-3
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 02cd807..3936261 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+underscore (1.9.1~dfsg-3) unstable; urgency=medium
+
+ * Team upload
+ * Revert Janitor changes as required by release team (#986175)
+
+ -- Yadd Wed, 31 Mar 2021 14:21:21 +0200
+
+underscore (1.9.1~dfsg-2) unstable; urgency=medium
+
+ * Team upload
+
+ [ Debian Janitor ]
+ * Bump debhelper dependency to >= 9, since that's what is used in
+debian/compat.
+ * Bump debhelper from old 9 to 12.
+ * Set debhelper-compat version in Build-Depends.
+ * Set upstream metadata fields: Bug-Database, Repository, Repository-
+Browse.
+ * Update standards version to 4.4.1, no changes needed.
+ * Set upstream metadata fields: Bug-Submit.
+ * Update standards version to 4.5.0, no changes needed.
+ * Apply multi-arch hints.
++ node-underscore: Add Multi-Arch: foreign.
+
+ [ Yadd ]
+ * Mark autopkgtest as superficial
+ * Fix arbitrary code execution and add a test (Closes: #986171)
+
+ -- Yadd Tue, 30 Mar 2021 22:40:59 +0200
+
underscore (1.9.1~dfsg-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/CVE-2021-23358.patch
b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2021-03-30
+
+--- a/underscore.js
b/underscore.js
+@@ -1550,6 +1550,13 @@
+ return '\\' + escapes[match];
+ };
+
++ // In order to prevent third-party code injection through
++ // `_.templateSettings.variable`, we test it against the following regular
++ // expression. It is intentionally a bit more liberal than just matching
valid
++ // identifiers, but still prevents possible loopholes through defaults or
++ // destructuring assignment.
++ var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+ // JavaScript micro-templating, similar to John Resig's implementation.
+ // Underscore templating handles arbitrary delimiters, preserves whitespace,
+ // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+ });
+ source += "';\n";
+
+-// If a variable is not specified, place data values in local scope.
+-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++var argument = settings.variable;
++if (argument) {
++ // Insure against third-party code injection.
++ if (!bareIdentifier.test(argument)) throw new Error(
++'variable is not a bare identifier: ' + argument
++ );
++} else {
++ // If a variable is not specified, place data values in local scope.
++ source = 'with(obj||{}){\n' + source + '}\n';
++ argument = 'obj';
++}
+
+ source = "var __t,__p='',__j=Array.prototype.join," +
+ "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+
+ var render;
+ try {
+- render = new Function(settings.variable || 'obj', '_', source);
++ render = new Function(argument, '_', source);
+ } catch (e) {
+ e.source = source;
+ throw e;
+@@ -1605,7 +1621,6 @@
+ };
+
+ // Provide the compiled source as a convenience for precompilation.
+-var argument = settings.variable || 'obj';
+ template.source = 'function(' + argument + '){\n' + source + '}';
+
+ return template;
diff --git a/debian/patches/series b/debian/patches/series
index da362d2..7ddac86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
2001_docs_privacy.patch
+CVE-2021-23358.patch
diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358
new file mode 100755
index 000..a2ae590
Bug#986175: unblock: underscore/1.9.1~dfsg-2
Control: tags -1 moreinfo
On 2021-03-30 22:49:43, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
>
> Please unblock package underscore
>
> [ Reason ]
> underscore is vulnerable to arbitrary code execution (#986171,
> CVE-2021-23358)
>
> [ Impact ]
> CVE provided a PoC to prove arbitrary code execution
>
> [ Tests ]
> I added a test to prove that bug is fixed (based on PoC). Test fails
> with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2
>
> [ Risks ]
> Patch is trivial. Note: I imported also Janitor changes: this breaks
> nothing
The patch looks fine, but please upload a version without the janitor
changes. It's too late for those changes and they can wait for bookworm.
Cheers
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> [ Other ]
> I downgrade autopkgtest to "superficial" since nothing was really tested
> (just a node "require"). That's why I'm filing this ;-)
>
> Regards,
> Yadd
>
> unblock underscore/1.9.1~dfsg-2
> diff --git a/debian/changelog b/debian/changelog
> index 02cd807..fed9aa8 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,26 @@
> +underscore (1.9.1~dfsg-2) unstable; urgency=medium
> +
> + * Team upload
> +
> + [ Debian Janitor ]
> + * Bump debhelper dependency to >= 9, since that's what is used in
> +debian/compat.
> + * Bump debhelper from old 9 to 12.
> + * Set debhelper-compat version in Build-Depends.
> + * Set upstream metadata fields: Bug-Database, Repository, Repository-
> +Browse.
> + * Update standards version to 4.4.1, no changes needed.
> + * Set upstream metadata fields: Bug-Submit.
> + * Update standards version to 4.5.0, no changes needed.
> + * Apply multi-arch hints.
> ++ node-underscore: Add Multi-Arch: foreign.
> +
> + [ Yadd ]
> + * Mark autopkgtest as superficial
> + * Fix arbitrary code execution and add a test (Closes: #986171)
> +
> + -- Yadd Tue, 30 Mar 2021 22:40:59 +0200
> +
> underscore (1.9.1~dfsg-1) unstable; urgency=medium
>
>[ upstream ]
> diff --git a/debian/compat b/debian/compat
> deleted file mode 100644
> index ec63514..000
> --- a/debian/compat
> +++ /dev/null
> @@ -1 +0,0 @@
> -9
> diff --git a/debian/control b/debian/control
> index cb1e7e9..fc1d26b 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -7,11 +7,11 @@ Uploaders:
> David Paleino ,
> Build-Depends:
> brotli,
> - debhelper,
> + debhelper-compat (= 12),
> node-source-map,
> pigz,
> uglifyjs (>= 3),
> -Standards-Version: 4.3.0
> +Standards-Version: 4.5.0
> Homepage: https://underscorejs.org/
> Vcs-Browser: https://salsa.debian.org/js-team/underscore
> Vcs-Git: https://salsa.debian.org/js-team/underscore.git
> @@ -44,6 +44,7 @@ Depends:
> libjs-underscore,
> nodejs,
> ${misc:Depends},
> +Multi-Arch: foreign
> Description: JavaScript's functional programming helper library - NodeJS
> Underscore is a utility-belt library for JavaScript that provides a lot
> of the functional programming support that you would expect in
> diff --git a/debian/patches/CVE-2021-23358.patch
> b/debian/patches/CVE-2021-23358.patch
> new file mode 100644
> index 000..2ba4118
> --- /dev/null
> +++ b/debian/patches/CVE-2021-23358.patch
> @@ -0,0 +1,62 @@
> +Description: fix arbitrary code execution
> +Author: Julian Gonggrijp
> +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
> +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
> +Bug-Debian: https://bugs.debian.org/986171
> +Forwarded: not-needed
> +Reviewed-By: Xavier Guimard
> +Last-Update: 2021-03-30
> +
> +--- a/underscore.js
> b/underscore.js
> +@@ -1550,6 +1550,13 @@
> + return '\\' + escapes[match];
> + };
> +
> ++ // In order to prevent third-party code injection through
> ++ // `_.templateSettings.variable`, we test it against the following regular
> ++ // expression. It is intentionally a bit more liberal than just matching
> valid
> ++ // identifiers, but still prevents possible loopholes through defaults or
> ++ // destructuring assignment.
> ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/;
> ++
> + // JavaScript micro-templating, similar to John Resig's implementation.
> + // Underscore templating handles arbitrary delimiters, preserves
> whitespace,
> + // and correctly escapes quotes within interpolated code.
> +@@ -1585,8 +1592,17 @@
> + });
> + source += "';\n";
> +
> +-// If a variable is not specified, place data values in local scope.
> +-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
> ++var argument = settings.variable;
> ++if (argument) {
> ++ // Insure against third-party code injection.
> ++ if (!bareIdentifier.test(argument)) throw new Error(
> ++
Bug#986175: unblock: underscore/1.9.1~dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
Please unblock package underscore
[ Reason ]
underscore is vulnerable to arbitrary code execution (#986171,
CVE-2021-23358)
[ Impact ]
CVE provided a PoC to prove arbitrary code execution
[ Tests ]
I added a test to prove that bug is fixed (based on PoC). Test fails
with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2
[ Risks ]
Patch is trivial. Note: I imported also Janitor changes: this breaks
nothing
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other ]
I downgrade autopkgtest to "superficial" since nothing was really tested
(just a node "require"). That's why I'm filing this ;-)
Regards,
Yadd
unblock underscore/1.9.1~dfsg-2
diff --git a/debian/changelog b/debian/changelog
index 02cd807..fed9aa8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+underscore (1.9.1~dfsg-2) unstable; urgency=medium
+
+ * Team upload
+
+ [ Debian Janitor ]
+ * Bump debhelper dependency to >= 9, since that's what is used in
+debian/compat.
+ * Bump debhelper from old 9 to 12.
+ * Set debhelper-compat version in Build-Depends.
+ * Set upstream metadata fields: Bug-Database, Repository, Repository-
+Browse.
+ * Update standards version to 4.4.1, no changes needed.
+ * Set upstream metadata fields: Bug-Submit.
+ * Update standards version to 4.5.0, no changes needed.
+ * Apply multi-arch hints.
++ node-underscore: Add Multi-Arch: foreign.
+
+ [ Yadd ]
+ * Mark autopkgtest as superficial
+ * Fix arbitrary code execution and add a test (Closes: #986171)
+
+ -- Yadd Tue, 30 Mar 2021 22:40:59 +0200
+
underscore (1.9.1~dfsg-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/compat b/debian/compat
deleted file mode 100644
index ec63514..000
--- a/debian/compat
+++ /dev/null
@@ -1 +0,0 @@
-9
diff --git a/debian/control b/debian/control
index cb1e7e9..fc1d26b 100644
--- a/debian/control
+++ b/debian/control
@@ -7,11 +7,11 @@ Uploaders:
David Paleino ,
Build-Depends:
brotli,
- debhelper,
+ debhelper-compat (= 12),
node-source-map,
pigz,
uglifyjs (>= 3),
-Standards-Version: 4.3.0
+Standards-Version: 4.5.0
Homepage: https://underscorejs.org/
Vcs-Browser: https://salsa.debian.org/js-team/underscore
Vcs-Git: https://salsa.debian.org/js-team/underscore.git
@@ -44,6 +44,7 @@ Depends:
libjs-underscore,
nodejs,
${misc:Depends},
+Multi-Arch: foreign
Description: JavaScript's functional programming helper library - NodeJS
Underscore is a utility-belt library for JavaScript that provides a lot
of the functional programming support that you would expect in
diff --git a/debian/patches/CVE-2021-23358.patch
b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2021-03-30
+
+--- a/underscore.js
b/underscore.js
+@@ -1550,6 +1550,13 @@
+ return '\\' + escapes[match];
+ };
+
++ // In order to prevent third-party code injection through
++ // `_.templateSettings.variable`, we test it against the following regular
++ // expression. It is intentionally a bit more liberal than just matching
valid
++ // identifiers, but still prevents possible loopholes through defaults or
++ // destructuring assignment.
++ var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+ // JavaScript micro-templating, similar to John Resig's implementation.
+ // Underscore templating handles arbitrary delimiters, preserves whitespace,
+ // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+ });
+ source += "';\n";
+
+-// If a variable is not specified, place data values in local scope.
+-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++var argument = settings.variable;
++if (argument) {
++ // Insure against third-party code injection.
++ if (!bareIdentifier.test(argument)) throw new Error(
++'variable is not a bare identifier: ' + argument
++ );
++} else {
++ // If a variable is not specified, place data values in local scope.
++ source = 'with(obj||{}){\n' + source + '}\n';
++ argument = 'obj';
++}
+
+ source = "var __t,__p='',__j=Array.prototype.join," +
+ "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+
+ var render;
+ try {
+- render = new Function(settings.variable || 'obj', '_', source);
++ render = new
