Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1

To: 1032994@bugs.debian.org
Subject: Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
From: Yadd <yadd@debian.org>
Date: Mon, 29 May 2023 07:58:36 +0400
Message-id: <[🔎] d0af7b4a-0e44-1586-153c-a42d9add202a@debian.org>
Reply-to: Yadd <yadd@debian.org>, 1032994@bugs.debian.org
In-reply-to: <[🔎] CAM8zJQusotiQ=fp7N_noe-a+hNBrv96S--1emEHHVY9M3TtN5w@mail.gmail.com>
References: <bb425d63-d388-94cf-5343-cb1b2191d1ac@debian.org> <ZE0G0SA7mpz+3SIx@eldamar.lan> <[🔎] 0bb63fb3-59d6-4dee-a3f6-ca6787b3a4c5@debian.org> <167888392271.1801856.1546557073263234240.reportbug@debian007.xnr.fr> <[🔎] 73ec47cb-8632-36ba-2c19-4f07f504edd9@debian.org> <[🔎] 14b4a717-c396-d37f-0971-7e13a4510a93@debian.org> <[🔎] CAM8zJQusotiQ=fp7N_noe-a+hNBrv96S--1emEHHVY9M3TtN5w@mail.gmail.com> <167888392271.1801856.1546557073263234240.reportbug@debian007.xnr.fr>

On 5/28/23 10:29, Graham Inggs wrote:

tags -1 + moreinfo

Hi Yadd

On Wed, 3 May 2023 at 04:51, Yadd <yadd@debian.org> wrote:

here is the current debdiff (without the big removal of useless
discoveryjs-json-ext/benchmarks)


I removed the moreinfo tag before realizing this is exactly the same
as the first debdiff.

You seem to have missed this comment:

On Wed, 15 Mar 2023 at 22:15, Paul Gevers <elbrus@debian.org> wrote:

This doesn't look like a targeted fix, but rather seems to include much
more.

How about reverting and providing a fix only for that CVE please?

Hi,

instead of reverting and have a too long version(5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if uploadto bookworm is allowed, I'm able to push this debdiff.


Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd <yadd@debian.org>  Mon, 29 May 2023 07:53:16 +0400
+
 node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index 00000000..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works <jackworks@protonmail.com>
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
++++ b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+ 				if (importOptions.webpackInclude !== undefined) {
+ 					if (
+ 						!importOptions.webpackInclude ||
+-						importOptions.webpackInclude.constructor.name !== "RegExp"
++						!(importOptions.webpackInclude instanceof RegExp)
+ 					) {
+ 						parser.state.module.addWarning(
+ 							new UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+ 							)
+ 						);
+ 					} else {
+-						include = new RegExp(importOptions.webpackInclude);
++						include = importOptions.webpackInclude;
+ 					}
+ 				}
+ 				if (importOptions.webpackExclude !== undefined) {
+ 					if (
+ 						!importOptions.webpackExclude ||
+-						importOptions.webpackExclude.constructor.name !== "RegExp"
++						!(importOptions.webpackExclude instanceof RegExp)
+ 					) {
+ 						parser.state.module.addWarning(
+ 							new UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+ 							)
+ 						);
+ 					} else {
+-						exclude = new RegExp(importOptions.webpackExclude);
++						exclude = importOptions.webpackExclude;
+ 					}
+ 				}
+ 				if (importOptions.webpackExports !== undefined) {
+--- a/lib/javascript/JavascriptParser.js
++++ b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+ 			return EMPTY_COMMENT_OPTIONS;
+ 		}
+ 		let options = {};
++		/** @type {unknown[]} */
+ 		let errors = [];
+ 		for (const comment of comments) {
+ 			const { value } = comment;
+ 			if (value && webpackCommentRegExp.test(value)) {
+ 				// try compile only if webpack options comment is present
+ 				try {
+-					const val = vm.runInNewContext(`(function(){return {${value}};})()`);
+-					Object.assign(options, val);
++					for (let [key, val] of Object.entries(
++						vm.runInNewContext(`(function(){return {${value}};})()`)
++					)) {
++						if (typeof val === "object" && val !== null) {
++							if (val.constructor.name === "RegExp") val = new RegExp(val);
++							else val = JSON.parse(JSON.stringify(val));
++						}
++						options[key] = val;
++					}
+ 				} catch (e) {
+-					e.comment = comment;
+-					errors.push(e);
++					const newErr = new Error(String(e.message));
++					newErr.stack = String(e.stack);
++					Object.assign(newErr, { comment });
++					errors.push(newErr);
+ 				}
+ 			}
+ 		}
diff --git a/debian/patches/series b/debian/patches/series
index 16f26f45..dd57ffb6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ webpack-cli-path.patch
 terser-webpack-plugin.patch
 fix-for-jest-29.patch
 fix-tsconfig.patch
+CVE-2023-28154.patch

Reply to:

References:
- Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
  - From: Yadd <yadd@debian.org>
- Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
  - From: Paul Gevers <elbrus@debian.org>
- Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
  - From: Yadd <yadd@debian.org>
- Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
  - From: Graham Inggs <ginggs@debian.org>

Prev by Date: Processed: your mail
Next by Date: Bug#1035056: [pre-approval] plasma-desktop 5.27.X
Previous by thread: Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Next by thread: Bug#1035372: unblock: wbar/2.3.4-13
Index(es):
- Date
- Thread