Processed: Re: Bug#1023798: Update to fix also CVE-2022-37599

2022-11-23 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1023798 [release.debian.org] bullseye-pu: package 
node-loader-utils/2.0.0-1+deb11u1
Added tag(s) confirmed.

-- 
1023798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1023798: Update to fix also CVE-2022-37599

2022-11-23 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Mon, 2022-11-14 at 11:05 +0100, Yadd wrote:
> On 14/11/2022 11:01, Yadd wrote:
> > Hi,
> > 
> > here is another update to fix CVE-2022-37599 (trivial patch).
> > 
> > Cheers,
> > Yadd
> 
> This fix also CVE-2022-37603 (duplicate of CVE-2022-37599)

Please go ahead.

Regards,

Adam

Bug#1023798: Update to fix also CVE-2022-37599

2022-11-14 Thread Yadd 

On 14/11/2022 11:01, Yadd wrote:

Hi,

here is another update to fix CVE-2022-37599 (trivial patch).

Cheers,
Yadd


This fix also CVE-2022-37603 (duplicate of CVE-2022-37599)diff --git a/debian/changelog b/debian/changelog
index 7d05292..aace5b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2022-37601)
+  * Fix ReDos (Closes: CVE-2022-37599, CVE-2022-37603)
+
+ -- Yadd   Mon, 14 Nov 2022 10:58:58 +0100
+
 node-loader-utils (2.0.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-37599.patch 
b/debian/patches/CVE-2022-37599.patch
new file mode 100644
index 000..d094c30
--- /dev/null
+++ b/debian/patches/CVE-2022-37599.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Alexander Akait <4567934+alexander-ak...@users.noreply.github.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d
+Bug: https://github.com/webpack/loader-utils/issues/211
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-11-14
+
+--- a/lib/interpolateName.js
 b/lib/interpolateName.js
+@@ -108,7 +108,7 @@
+   // `hash` and `contenthash` are same in `loader-utils` context
+   // let's keep `hash` for backward compatibility
+   .replace(
+-
/\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
++
/\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
+ (all, hashType, digestType, maxLength) =>
+   getHashDigest(content, hashType, digestType, parseInt(maxLength, 
10))
+   )
diff --git a/debian/patches/CVE-2022-37601.patch 
b/debian/patches/CVE-2022-37601.patch
new file mode 100644
index 000..12eaad6
--- /dev/null
+++ b/debian/patches/CVE-2022-37601.patch
@@ -0,0 +1,18 @@
+Description: fix prototype pollution
+Author: Mike Cebrian 
+Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-11-10
+
+--- node-loader-utils-2.0.0.orig/lib/parseQuery.js
 node-loader-utils-2.0.0/lib/parseQuery.js
+@@ -26,7 +26,7 @@ function parseQuery(query) {
+   }
+ 
+   const queryArgs = query.split(/[,&]/g);
+-  const result = {};
++  const result = Object.create(null);
+ 
+   queryArgs.forEach((arg) => {
+ const idx = arg.indexOf('=');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..5566245
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2022-37601.patch
+CVE-2022-37599.patch

Bug#1023798: Update to fix also CVE-2022-37599

2022-11-14 Thread Yadd 

Hi,

here is another update to fix CVE-2022-37599 (trivial patch).

Cheers,
Yadddiff --git a/debian/changelog b/debian/changelog
index 7d05292..5ba6d13 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2022-37601)
+  * Fix ReDos (Closes: CVE-2022-37599)
+
+ -- Yadd   Mon, 14 Nov 2022 10:58:58 +0100
+
 node-loader-utils (2.0.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-37599.patch 
b/debian/patches/CVE-2022-37599.patch
new file mode 100644
index 000..d094c30
--- /dev/null
+++ b/debian/patches/CVE-2022-37599.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Alexander Akait <4567934+alexander-ak...@users.noreply.github.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d
+Bug: https://github.com/webpack/loader-utils/issues/211
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-11-14
+
+--- a/lib/interpolateName.js
 b/lib/interpolateName.js
+@@ -108,7 +108,7 @@
+   // `hash` and `contenthash` are same in `loader-utils` context
+   // let's keep `hash` for backward compatibility
+   .replace(
+-
/\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
++
/\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
+ (all, hashType, digestType, maxLength) =>
+   getHashDigest(content, hashType, digestType, parseInt(maxLength, 
10))
+   )
diff --git a/debian/patches/CVE-2022-37601.patch 
b/debian/patches/CVE-2022-37601.patch
new file mode 100644
index 000..12eaad6
--- /dev/null
+++ b/debian/patches/CVE-2022-37601.patch
@@ -0,0 +1,18 @@
+Description: fix prototype pollution
+Author: Mike Cebrian 
+Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-11-10
+
+--- node-loader-utils-2.0.0.orig/lib/parseQuery.js
 node-loader-utils-2.0.0/lib/parseQuery.js
+@@ -26,7 +26,7 @@ function parseQuery(query) {
+   }
+ 
+   const queryArgs = query.split(/[,&]/g);
+-  const result = {};
++  const result = Object.create(null);
+ 
+   queryArgs.forEach((arg) => {
+ const idx = arg.indexOf('=');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..5566245
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2022-37601.patch
+CVE-2022-37599.patch