Processed: Re: Bug#1023798: Update to fix also CVE-2022-37599
Processing control commands: > tags -1 + confirmed Bug #1023798 [release.debian.org] bullseye-pu: package node-loader-utils/2.0.0-1+deb11u1 Added tag(s) confirmed. -- 1023798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1023798: Update to fix also CVE-2022-37599
Control: tags -1 + confirmed On Mon, 2022-11-14 at 11:05 +0100, Yadd wrote: > On 14/11/2022 11:01, Yadd wrote: > > Hi, > > > > here is another update to fix CVE-2022-37599 (trivial patch). > > > > Cheers, > > Yadd > > This fix also CVE-2022-37603 (duplicate of CVE-2022-37599) Please go ahead. Regards, Adam
Bug#1023798: Update to fix also CVE-2022-37599
On 14/11/2022 11:01, Yadd wrote: Hi, here is another update to fix CVE-2022-37599 (trivial patch). Cheers, Yadd This fix also CVE-2022-37603 (duplicate of CVE-2022-37599)diff --git a/debian/changelog b/debian/changelog index 7d05292..aace5b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-37601) + * Fix ReDos (Closes: CVE-2022-37599, CVE-2022-37603) + + -- Yadd Mon, 14 Nov 2022 10:58:58 +0100 + node-loader-utils (2.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-37599.patch b/debian/patches/CVE-2022-37599.patch new file mode 100644 index 000..d094c30 --- /dev/null +++ b/debian/patches/CVE-2022-37599.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: Alexander Akait <4567934+alexander-ak...@users.noreply.github.com> +Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d +Bug: https://github.com/webpack/loader-utils/issues/211 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-14 + +--- a/lib/interpolateName.js b/lib/interpolateName.js +@@ -108,7 +108,7 @@ + // `hash` and `contenthash` are same in `loader-utils` context + // let's keep `hash` for backward compatibility + .replace( +- /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, ++ /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + (all, hashType, digestType, maxLength) => + getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) + ) diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch new file mode 100644 index 000..12eaad6 --- /dev/null +++ b/debian/patches/CVE-2022-37601.patch @@ -0,0 +1,18 @@ +Description: fix prototype pollution +Author: Mike Cebrian +Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-10 + +--- node-loader-utils-2.0.0.orig/lib/parseQuery.js node-loader-utils-2.0.0/lib/parseQuery.js +@@ -26,7 +26,7 @@ function parseQuery(query) { + } + + const queryArgs = query.split(/[,&]/g); +- const result = {}; ++ const result = Object.create(null); + + queryArgs.forEach((arg) => { + const idx = arg.indexOf('='); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..5566245 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2022-37601.patch +CVE-2022-37599.patch
Bug#1023798: Update to fix also CVE-2022-37599
Hi, here is another update to fix CVE-2022-37599 (trivial patch). Cheers, Yadddiff --git a/debian/changelog b/debian/changelog index 7d05292..5ba6d13 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-37601) + * Fix ReDos (Closes: CVE-2022-37599) + + -- Yadd Mon, 14 Nov 2022 10:58:58 +0100 + node-loader-utils (2.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-37599.patch b/debian/patches/CVE-2022-37599.patch new file mode 100644 index 000..d094c30 --- /dev/null +++ b/debian/patches/CVE-2022-37599.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: Alexander Akait <4567934+alexander-ak...@users.noreply.github.com> +Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d +Bug: https://github.com/webpack/loader-utils/issues/211 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-14 + +--- a/lib/interpolateName.js b/lib/interpolateName.js +@@ -108,7 +108,7 @@ + // `hash` and `contenthash` are same in `loader-utils` context + // let's keep `hash` for backward compatibility + .replace( +- /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, ++ /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + (all, hashType, digestType, maxLength) => + getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) + ) diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch new file mode 100644 index 000..12eaad6 --- /dev/null +++ b/debian/patches/CVE-2022-37601.patch @@ -0,0 +1,18 @@ +Description: fix prototype pollution +Author: Mike Cebrian +Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-10 + +--- node-loader-utils-2.0.0.orig/lib/parseQuery.js node-loader-utils-2.0.0/lib/parseQuery.js +@@ -26,7 +26,7 @@ function parseQuery(query) { + } + + const queryArgs = query.split(/[,&]/g); +- const result = {}; ++ const result = Object.create(null); + + queryArgs.forEach((arg) => { + const idx = arg.indexOf('='); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..5566245 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2022-37601.patch +CVE-2022-37599.patch