Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-handlebars [ Reason ] node-handlebars is vulnerable to Remote Code Execution (RCE) (CVE-2021-23369). [ Impact ] Medium vulnerability [ Tests ] Yes, code passed (build & autopkgtest), including new checks [ Risks ] Low risk; change is trivial (upstream patch applied without any change) [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-handlebars/4.7.6+~4.1.0-2
diff --git a/debian/changelog b/debian/changelog index 675dba0..215d5a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-handlebars (3:4.7.6+~4.1.0-2) unstable; urgency=medium + + * Team upload + * Fix remote code execution (Closes: CVE-2021-23369) + + -- Yadd <y...@debian.org> Fri, 16 Apr 2021 10:19:56 +0200 + node-handlebars (3:4.7.6+~4.1.0-1) unstable; urgency=medium [ Xavier Guimard ] diff --git a/debian/patches/CVE-2021-23369.patch b/debian/patches/CVE-2021-23369.patch new file mode 100644 index 0000000..98ee3fc --- /dev/null +++ b/debian/patches/CVE-2021-23369.patch @@ -0,0 +1,80 @@ +Description: fix Remote Code Execution (RCE) + when selecting certain compiling options to compile templates coming from an + untrusted source. +Author: Nils Knappmeier <n...@knappi.org> +Origin: upstream, https://github.com/handlebars-lang/handlebars.js/commit/b6d3de71 + https://github.com/handlebars-lang/handlebars.js/commit/f0589701 +Bug: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-04-16 + +--- a/lib/handlebars/compiler/javascript-compiler.js ++++ b/lib/handlebars/compiler/javascript-compiler.js +@@ -16,7 +16,12 @@ + return this.internalNameLookup(parent, name); + }, + depthedLookup: function(name) { +- return [this.aliasable('container.lookup'), '(depths, "', name, '")']; ++ return [ ++ this.aliasable('container.lookup'), ++ '(depths, ', ++ JSON.stringify(name), ++ ')' ++ ]; + }, + + compilerInfo: function() { +--- a/lib/handlebars/runtime.js ++++ b/lib/handlebars/runtime.js +@@ -124,7 +124,7 @@ + loc: loc + }); + } +- return obj[name]; ++ return container.lookupProperty(obj, name); + }, + lookupProperty: function(parent, propertyName) { + let result = parent[propertyName]; +--- a/spec/security.js ++++ b/spec/security.js +@@ -320,6 +320,10 @@ + checkProtoPropertyAccess({ compat: true }); + }); + ++ describe('in strict-mode', function() { ++ checkProtoPropertyAccess({ strict: true }); ++ }); ++ + function checkProtoPropertyAccess(compileOptions) { + it('should be prohibited by default and log a warning', function() { + var spy = sinon.spy(console, 'error'); +@@ -418,6 +422,28 @@ + }); + }); + }); ++ ++ describe('escapes template variables', function() { ++ it('in compat mode', function() { ++ expectTemplate("{{'a\\b'}}") ++ .withCompileOptions({ compat: true }) ++ .withInput({ 'a\\b': 'c' }) ++ .toCompileTo('c'); ++ }); ++ ++ it('in default mode', function() { ++ expectTemplate("{{'a\\b'}}") ++ .withCompileOptions() ++ .withInput({ 'a\\b': 'c' }) ++ .toCompileTo('c'); ++ }); ++ it('in default mode', function() { ++ expectTemplate("{{'a\\b'}}") ++ .withCompileOptions({ strict: true }) ++ .withInput({ 'a\\b': 'c' }) ++ .toCompileTo('c'); ++ }); ++ }); + }); + + function wrapToAdjustContainer(precompiledTemplateFunction) { diff --git a/debian/patches/series b/debian/patches/series index 35bc292..d613930 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ skip-some-modules.patch disable-bg-shell-plugin.patch use-babel7.patch use-global-object-this.patch +CVE-2021-23369.patch