Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 6/1/23 13:44, Paul Gevers wrote: control: tags -1 moreinfo Hi Yadd, On 29-05-2023 05:58, Yadd wrote: On 5/28/23 10:29, Graham Inggs wrote: On Wed, 3 May 2023 at 04:51, Yadd wrote: How about reverting and providing a fix only for that CVE please? instead of reverting and have a too long version (5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload to bookworm is allowed, I'm able to push this debdiff. Please upload this debdiff to unstable ASAP. I'm not aware of limitations for the version number that you would trigger with that. tpu is not meant for this purpose (it doesn't have any QA). Mind you, the closing window for uploads was last weekend, so we're extremely late. Otherwise we'll have to do this via the security archive or a point release update. Paul Hi, I can't upload this debdiff to unstable because version in unstable is 5.76.1+dfsg1+~cs17.16.16-1. If we can't upload to bookworm without using unstable, let's wait for Debian/12.1. Else, version would be: - 5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1 and then later fixes will look like - 5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1+deb12u1 I don't want to be the author of such version.
Processed: Re: Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Processing control commands: > tags -1 moreinfo Bug #1032994 [release.debian.org] bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1 Added tag(s) moreinfo. -- 1032994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032994 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
control: tags -1 moreinfo Hi Yadd, On 29-05-2023 05:58, Yadd wrote: On 5/28/23 10:29, Graham Inggs wrote: On Wed, 3 May 2023 at 04:51, Yadd wrote: How about reverting and providing a fix only for that CVE please? instead of reverting and have a too long version (5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload to bookworm is allowed, I'm able to push this debdiff. Please upload this debdiff to unstable ASAP. I'm not aware of limitations for the version number that you would trigger with that. tpu is not meant for this purpose (it doesn't have any QA). Mind you, the closing window for uploads was last weekend, so we're extremely late. Otherwise we'll have to do this via the security archive or a point release update. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 5/28/23 10:29, Graham Inggs wrote: tags -1 + moreinfo Hi Yadd On Wed, 3 May 2023 at 04:51, Yadd wrote: here is the current debdiff (without the big removal of useless discoveryjs-json-ext/benchmarks) I removed the moreinfo tag before realizing this is exactly the same as the first debdiff. You seem to have missed this comment: On Wed, 15 Mar 2023 at 22:15, Paul Gevers wrote: This doesn't look like a targeted fix, but rather seems to include much more. How about reverting and providing a fix only for that CVE please? Hi, instead of reverting and have a too long version (5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload to bookworm is allowed, I'm able to push this debdiff. Cheers, Yadddiff --git a/debian/changelog b/debian/changelog index 0053d7ee..a07dd9d4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154) + + -- Yadd Mon, 29 May 2023 07:53:16 +0400 + node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch new file mode 100644 index ..2f651167 --- /dev/null +++ b/debian/patches/CVE-2023-28154.patch @@ -0,0 +1,80 @@ +Description: avoid cross-realm objects +Author: Jack Works +Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb +Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154 +Bug-Debian: https://bugs.debian.org/1032904 +Forwarded: not-needed +Applied-Upstream: 5.76.1, commit:4b4ca3bb +Reviewed-By: Yadd +Last-Update: 2023-05-29 + +--- a/lib/dependencies/ImportParserPlugin.js b/lib/dependencies/ImportParserPlugin.js +@@ -137,7 +137,7 @@ + if (importOptions.webpackInclude !== undefined) { + if ( + !importOptions.webpackInclude || +- importOptions.webpackInclude.constructor.name !== "RegExp" ++ !(importOptions.webpackInclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -146,13 +146,13 @@ + ) + ); + } else { +- include = new RegExp(importOptions.webpackInclude); ++ include = importOptions.webpackInclude; + } + } + if (importOptions.webpackExclude !== undefined) { + if ( + !importOptions.webpackExclude || +- importOptions.webpackExclude.constructor.name !== "RegExp" ++ !(importOptions.webpackExclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -161,7 +161,7 @@ + ) + ); + } else { +- exclude = new RegExp(importOptions.webpackExclude); ++ exclude = importOptions.webpackExclude; + } + } + if (importOptions.webpackExports !== undefined) { +--- a/lib/javascript/JavascriptParser.js b/lib/javascript/JavascriptParser.js +@@ -3635,17 +3635,27 @@ + return EMPTY_COMMENT_OPTIONS; + } + let options = {}; ++ /** @type {unknown[]} */ + let errors = []; + for (const comment of comments) { + const { value } = comment; + if (value && webpackCommentRegExp.test(value)) { + // try compile only if webpack options comment is present + try { +- const val = vm.runInNewContext(`(function(){return {${value}};})()`); +- Object.assign(options, val); ++ for (let [key, val] of Object.entries( ++
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
tags -1 + moreinfo Hi Yadd On Wed, 3 May 2023 at 04:51, Yadd wrote: > here is the current debdiff (without the big removal of useless > discoveryjs-json-ext/benchmarks) I removed the moreinfo tag before realizing this is exactly the same as the first debdiff. You seem to have missed this comment: On Wed, 15 Mar 2023 at 22:15, Paul Gevers wrote: > This doesn't look like a targeted fix, but rather seems to include much > more. > > How about reverting and providing a fix only for that CVE please? Regards Graham
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 5/2/23 23:26, Paul Gevers wrote: Hi Yadd, On 02-05-2023 10:15, Yadd wrote: extracting only CVE patch means: * keep some (unimportant) bugs in Bullseye * publish such version number: 5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1 Indeed, both are totally acceptable. Can we have a debdiff please? Paul Hi, here is the current debdiff (without the big removal of useless discoveryjs-json-ext/benchmarks) Regards, Yadddiff --git a/README.md b/README.md index c712d27f..a6549c1c 100644 --- a/README.md +++ b/README.md @@ -158,11 +158,11 @@ or are automatically applied via regex from your webpack configuration. Transpiling -| Name |Status | Install Size | Description | -| :: | :---: | :: | : | -| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | -| https://github.com/TypeStrong/ts-loader;>https://cdn.rawgit.com/Microsoft/TypeScript/master/doc/logo.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | -|https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>| ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | +| Name |Status | Install Size | Description | +| :--: | :---: | :: | : | +| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | +| https://github.com/TypeStrong/ts-loader;>https://raw.githubusercontent.com/microsoft/TypeScript-Website/f407e1ae19e5e990d9901ac8064a32a8cc60edf0/packages/typescriptlang-org/static/branding/ts-logo-128.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | +| https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;> | ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | [babel-npm]: https://img.shields.io/npm/v/babel-loader.svg [babel-size]: https://packagephobia.com/badge?p=babel-loader @@ -175,7 +175,7 @@ or are automatically applied via regex from your webpack configuration. | Name | Status | Install Size | Description | | :---: | :-: | :--: | :-- | -|https://github.com/webpack-contrib/html-loader;>https://worldvectorlogo.com/logos/html5.svg;> | ![html-npm] | ![html-size] | Exports HTML as string, requires references to static resources | +| https://github.com/webpack-contrib/html-loader;>https://worldvectorlogo.com/logos/html5-2.svg;> |
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Hi Yadd, On 02-05-2023 10:15, Yadd wrote: extracting only CVE patch means: * keep some (unimportant) bugs in Bullseye * publish such version number: 5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1 Indeed, both are totally acceptable. Can we have a debdiff please? Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 4/29/23 16:00, Salvatore Bonaccorso wrote: Control: severity 1032904 serious Hi Yadd, On Wed, Mar 15, 2023 at 09:11:46PM +0100, Paul Gevers wrote: Control: tags -1 moreinfo Hi Yadd, On 15-03-2023 13:38, Yadd wrote: [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). This doesn't look like a targeted fix, but rather seems to include much more. How about reverting and providing a fix only for that CVE please? have you seen Paul's comment/question above? We have now a somehow unfortunate situation that the CVE is fixed in unstable, and it is fixed with the last point release as well in bullseye. But it is still open in bookworm. I will bump for this reason the severity of #1032904 to RC as it is a regression on this regards. Regards, Salvatore Hi, extracting only CVE patch means: * keep some (unimportant) bugs in Bullseye * publish such version number: 5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Control: severity 1032904 serious Hi Yadd, On Wed, Mar 15, 2023 at 09:11:46PM +0100, Paul Gevers wrote: > Control: tags -1 moreinfo > > Hi Yadd, > > On 15-03-2023 13:38, Yadd wrote: > > [ Reason ] > > node-webpack is vulnerable to cross-realm object access > > (#1032904, CVE-2023-28154). > > This doesn't look like a targeted fix, but rather seems to include much > more. > > How about reverting and providing a fix only for that CVE please? have you seen Paul's comment/question above? We have now a somehow unfortunate situation that the CVE is fixed in unstable, and it is fixed with the last point release as well in bullseye. But it is still open in bookworm. I will bump for this reason the severity of #1032904 to RC as it is a regression on this regards. Regards, Salvatore
Processed: Re: Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Processing control commands: > tags -1 moreinfo Bug #1032994 [release.debian.org] unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1 Added tag(s) moreinfo. -- 1032994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032994 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Control: tags -1 moreinfo Hi Yadd, On 15-03-2023 13:38, Yadd wrote: [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). This doesn't look like a targeted fix, but rather seems to include much more. How about reverting and providing a fix only for that CVE please? Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 3/15/23 16:38, Yadd wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack Please unblock package node-webpack [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, autopkgtest passed on all reverse dependencies [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] The attached debdiff doesn't show the doc and test snapshot updates, else debdiff is really big and not relevant. Cheers, Yadd unblock node-webpack/5.76.1+dfsg1+~cs17.16.16-1 Sorry, I didn't see that node-webpack was considered as key package.
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack Please unblock package node-webpack [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, autopkgtest passed on all reverse dependencies [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] The attached debdiff doesn't show the doc and test snapshot updates, else debdiff is really big and not relevant. Cheers, Yadd unblock node-webpack/5.76.1+dfsg1+~cs17.16.16-1 diff --git a/README.md b/README.md index c712d27f..a6549c1c 100644 --- a/README.md +++ b/README.md @@ -158,11 +158,11 @@ or are automatically applied via regex from your webpack configuration. Transpiling -| Name |Status | Install Size | Description | -| :: | :---: | :: | : | -| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | -| https://github.com/TypeStrong/ts-loader;>https://cdn.rawgit.com/Microsoft/TypeScript/master/doc/logo.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | -|https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>| ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | +| Name |Status | Install Size | Description | +| :--: | :---: | :: | : | +| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | +| https://github.com/TypeStrong/ts-loader;>https://raw.githubusercontent.com/microsoft/TypeScript-Website/f407e1ae19e5e990d9901ac8064a32a8cc60edf0/packages/typescriptlang-org/static/branding/ts-logo-128.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | +| https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;> | ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | [babel-npm]: https://img.shields.io/npm/v/babel-loader.svg [babel-size]: https://packagephobia.com/badge?p=babel-loader @@ -175,7 +175,7 @@ or are automatically applied via regex from your webpack configuration. | Name | Status | Install Size | Description | | :---: | :-: | :--: | :-- | -|