Bug#1008168: bullseye-pu: package node-url-parse/1.5.3-1+deb11u1
Control: tags -1 + confirmed On Mon, 2022-04-11 at 16:17 +0200, Yadd wrote: > On 24/03/2022 15:12, Moritz Mühlenhoff wrote: > > Am Wed, Mar 23, 2022 at 02:25:26PM +0100 schrieb Yadd: > > > Package: release.debian.org > > > Severity: normal > > > Tags: bullseye > > > User: release.debian@packages.debian.org > > > Usertags: pu > > > > > > [ Reason ] > > > node-url-parse is vulnerable to an authorization Bypass Through > > > User-Controlled (CVE-2022-0686). > > > > If we're doing an update, we could also include a fix for CVE-2022- > > 0691? > > > > Cheers, > > Moritz > > Hi, > > done, here is the new debdiff (including new test) > Please go ahead. Regards, Adam
Bug#1008168: bullseye-pu: package node-url-parse/1.5.3-1+deb11u1
On 24/03/2022 15:12, Moritz Mühlenhoff wrote: Am Wed, Mar 23, 2022 at 02:25:26PM +0100 schrieb Yadd: Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-url-parse is vulnerable to an authorization Bypass Through User-Controlled (CVE-2022-0686). If we're doing an update, we could also include a fix for CVE-2022-0691? Cheers, Moritz Hi, done, here is the new debdiff (including new test) Cheers, Yadddiff --git a/debian/changelog b/debian/changelog index 175b525..842b4ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Handle the case where the port is specified but empty +(Closes: CVE-2022-0686) + * Strip all control characters from the beginning of the URL +(Closes: CVE-2022-0691) + + -- Yadd Mon, 11 Apr 2022 16:15:12 +0200 + node-url-parse (1.5.3-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-0686.patch b/debian/patches/CVE-2022-0686.patch new file mode 100644 index 000..12cab4c --- /dev/null +++ b/debian/patches/CVE-2022-0686.patch @@ -0,0 +1,92 @@ +Description: Handle the case where the port is specified but empty +Author: Luigi Pinca +Origin: upstream, https://github.com/unshiftio/url-parse/commit/d5c64791 +Bug: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-03-23 + +--- a/index.js b/index.js +@@ -3,6 +3,7 @@ + var required = require('requires-port') + , qs = require('querystringify') + , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\// ++ , port = /:\d+$/ + , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i + , windowsDriveLetter = /^[a-zA-Z]:/ + , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]' +@@ -39,7 +40,7 @@ + ['/', 'pathname'],// Extract from the back. + ['@', 'auth', 1], // Extract from the front. + [NaN, 'host', undefined, 1, 1], // Set left over value. +- [/:(\d+)$/, 'port', undefined, 1],// RegExp the back. ++ [/:(\d*)$/, 'port', undefined, 1],// RegExp the back. + [NaN, 'hostname', undefined, 1, 1]// Set left over. + ]; + +@@ -433,7 +434,7 @@ + case 'host': + url[part] = value; + +- if (/:\d+$/.test(value)) { ++ if (port.test(value)) { + value = value.split(':'); + url.port = value.pop(); + url.hostname = value.join(':'); +@@ -490,6 +491,7 @@ + + var query + , url = this ++, host = url.host + , protocol = url.protocol; + + if (protocol && protocol.charAt(protocol.length - 1) !== ':') protocol += ':'; +@@ -502,7 +504,15 @@ + result += '@'; + } + +- result += url.host + url.pathname; ++ // ++ // Trailing colon is removed from `url.host` when it is parsed. If it still ++ // ends with a colon, then add back the trailing colon that was removed. This ++ // prevents an invalid URL from being transformed into a valid one. ++ // ++ if (host[host.length - 1] === ':' || (port.test(url.hostname) && !url.port)) { ++host += ':'; ++ } ++ result += host + url.pathname; + + query = 'object' === typeof url.query ? stringify(url.query) : url.query; + if (query) result += '?' !== query.charAt(0) ? '?'+ query : query; +--- a/test/test.js b/test/test.js +@@ -401,6 +401,28 @@ + assume(parsed.slashes).is.true(); + }); + ++ it('handles the case where the port is specified but empty', function () { ++var parsed = parse('http://example.com:'); ++ ++assume(parsed.protocol).equals('http:'); ++assume(parsed.port).equals(''); ++assume(parsed.host).equals('example.com'); ++assume(parsed.hostname).equals('example.com'); ++assume(parsed.pathname).equals('/'); ++assume(parsed.origin).equals('http://example.com'); ++assume(parsed.href).equals('http://example.com/'); ++ ++parsed = parse('http://example.com::'); ++ ++assume(parsed.protocol).equals('http:'); ++assume(parsed.port).equals(''); ++assume(parsed.host).equals('example.com:'); ++assume(parsed.hostname).equals('example.com:'); ++assume(parsed.pathname).equals('/'); ++assume(parsed.origin).equals('http://example.com:'); ++assume(parsed.href).equals('http://example.com::/'); ++ }); ++ + describe('origin', function () { + it('generates an origin property', function () { + var url = 'http://google.com:80/pathname' diff --git a/debian/patches/CVE-2022-0691.patch b/debian/patches/CVE-2022-0691.patch new file mode 100644 index 000..b72c4a7 --- /dev/null +++ b/debian/patches/CVE-2022-0691.patch @@ -0,0 +1,39 @@ +Description: Strip all control characters from the beginning of the URL +Author: Luigi Pinca +Origin: upstream,
Bug#1008168: bullseye-pu: package node-url-parse/1.5.3-1+deb11u1
Am Wed, Mar 23, 2022 at 02:25:26PM +0100 schrieb Yadd: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > > [ Reason ] > node-url-parse is vulnerable to an authorization Bypass Through > User-Controlled (CVE-2022-0686). If we're doing an update, we could also include a fix for CVE-2022-0691? Cheers, Moritz
Bug#1008168: bullseye-pu: package node-url-parse/1.5.3-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-url-parse is vulnerable to an authorization Bypass Through User-Controlled (CVE-2022-0686). [ Impact ] medium vulnerability [ Tests ] Test updated, passed [ Risks ] Low risk, patch is trivial and new test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better checks. Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 175b525..67a3dca 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Handle the case where the port is specified but empty(Closes: CVE-2022-0686) + + -- Yadd Wed, 23 Mar 2022 14:20:54 +0100 + node-url-parse (1.5.3-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-0686.patch b/debian/patches/CVE-2022-0686.patch new file mode 100644 index 000..12cab4c --- /dev/null +++ b/debian/patches/CVE-2022-0686.patch @@ -0,0 +1,92 @@ +Description: Handle the case where the port is specified but empty +Author: Luigi Pinca +Origin: upstream, https://github.com/unshiftio/url-parse/commit/d5c64791 +Bug: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-03-23 + +--- a/index.js b/index.js +@@ -3,6 +3,7 @@ + var required = require('requires-port') + , qs = require('querystringify') + , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\// ++ , port = /:\d+$/ + , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i + , windowsDriveLetter = /^[a-zA-Z]:/ + , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]' +@@ -39,7 +40,7 @@ + ['/', 'pathname'],// Extract from the back. + ['@', 'auth', 1], // Extract from the front. + [NaN, 'host', undefined, 1, 1], // Set left over value. +- [/:(\d+)$/, 'port', undefined, 1],// RegExp the back. ++ [/:(\d*)$/, 'port', undefined, 1],// RegExp the back. + [NaN, 'hostname', undefined, 1, 1]// Set left over. + ]; + +@@ -433,7 +434,7 @@ + case 'host': + url[part] = value; + +- if (/:\d+$/.test(value)) { ++ if (port.test(value)) { + value = value.split(':'); + url.port = value.pop(); + url.hostname = value.join(':'); +@@ -490,6 +491,7 @@ + + var query + , url = this ++, host = url.host + , protocol = url.protocol; + + if (protocol && protocol.charAt(protocol.length - 1) !== ':') protocol += ':'; +@@ -502,7 +504,15 @@ + result += '@'; + } + +- result += url.host + url.pathname; ++ // ++ // Trailing colon is removed from `url.host` when it is parsed. If it still ++ // ends with a colon, then add back the trailing colon that was removed. This ++ // prevents an invalid URL from being transformed into a valid one. ++ // ++ if (host[host.length - 1] === ':' || (port.test(url.hostname) && !url.port)) { ++host += ':'; ++ } ++ result += host + url.pathname; + + query = 'object' === typeof url.query ? stringify(url.query) : url.query; + if (query) result += '?' !== query.charAt(0) ? '?'+ query : query; +--- a/test/test.js b/test/test.js +@@ -401,6 +401,28 @@ + assume(parsed.slashes).is.true(); + }); + ++ it('handles the case where the port is specified but empty', function () { ++var parsed = parse('http://example.com:'); ++ ++assume(parsed.protocol).equals('http:'); ++assume(parsed.port).equals(''); ++assume(parsed.host).equals('example.com'); ++assume(parsed.hostname).equals('example.com'); ++assume(parsed.pathname).equals('/'); ++assume(parsed.origin).equals('http://example.com'); ++assume(parsed.href).equals('http://example.com/'); ++ ++parsed = parse('http://example.com::'); ++ ++assume(parsed.protocol).equals('http:'); ++assume(parsed.port).equals(''); ++assume(parsed.host).equals('example.com:'); ++assume(parsed.hostname).equals('example.com:'); ++assume(parsed.pathname).equals('/'); ++assume(parsed.origin).equals('http://example.com:'); ++assume(parsed.href).equals('http://example.com::/'); ++ }); ++ + describe('origin', function () { + it('generates an origin property', function () { + var url = 'http://google.com:80/pathname' diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..2b5fec1 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-0686.patch