[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#941683: marked as done (buster-pu: package node-yarnpkg/1.13.0-1+deb10u1)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #941683,
regarding buster-pu: package node-yarnpkg/1.13.0-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
941683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941683
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

node-yarnpkg is vulnerable: it exports auth data in http requests
(#941354, CVE-2019-5448). This patch imports upstream fix.

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 01fe7d70d..6c4b5fef1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-yarnpkg (1.13.0-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Add patch to force using https for the regular registries
+    (Closes: #941354, CVE-2019-5448)
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 03 Oct 2019 18:23:54 +0200
+
 node-yarnpkg (1.13.0-1) unstable; urgency=low
 
   * Initial release (Closes: #843021)
diff --git a/debian/patches/CVE-2019-5448.diff b/debian/patches/CVE-2019-5448.diff
new file mode 100644
index 000000000..8bb7442c8
--- /dev/null
+++ b/debian/patches/CVE-2019-5448.diff
@@ -0,0 +1,75 @@
+Description: Forces using https for the regular registries
+Author: Maël Nison <https://github.com/arcanis>
+Origin: upstream, https://github.com/yarnpkg/yarn/commit/2f08a740
+Bug: https://hackerone.com/reports/640904
+Bug-Debian: https://bugs.debian.org/941354
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-10-03
+
+--- a/__tests__/registries/npm-registry.js
++++ b/__tests__/registries/npm-registry.js
+@@ -750,6 +750,30 @@
+ 
+     expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual('https://my.registry.co/registry/foo/bar/baz');
+   });
++
++  for (const host of [`registry.yarnpkg.com`, `registry.npmjs.org`, `registry.npmjs.com`]) {
++    test(`enforces loading packages through https when they come from ${host}`, () => {
++      const testCwd = '.';
++      const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
++      const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
++      const registry = `http://${host}/registry`;
++      const pathname = 'foo/bar/baz';
++
++      expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(`https://${host}/registry/foo/bar/baz`);
++    });
++  }
++
++  test("doesn't change the protocol for packages from other registries", () => {
++    const testCwd = '.';
++    const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
++    const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []);
++    const registry = 'http://registry.mylittlepony.org/registry';
++    const pathname = 'foo/bar/baz';
++
++    expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(
++      'http://registry.mylittlepony.org/registry/foo/bar/baz',
++    );
++  });
+ });
+ 
+ describe('getScope functional test', () => {
+--- a/src/registries/npm-registry.js
++++ b/src/registries/npm-registry.js
+@@ -22,6 +22,7 @@
+ import ini from 'ini';
+ 
+ const DEFAULT_REGISTRY = 'https://registry.npmjs.org/';
++const REGEX_REGISTRY_ENFORCED_HTTPS = /^https?:\/\/([^\/]+\.)?(yarnpkg\.com|npmjs\.(org|com))(\/|$)/;
+ const REGEX_REGISTRY_HTTP_PROTOCOL = /^https?:/i;
+ const REGEX_REGISTRY_PREFIX = /^(https?:)?\/\//i;
+ const REGEX_REGISTRY_SUFFIX = /registry\/?$/;
+@@ -112,13 +113,17 @@
+   }
+ 
+   getRequestUrl(registry: string, pathname: string): string {
+-    const isUrl = REGEX_REGISTRY_PREFIX.test(pathname);
++    let resolved = pathname;
+ 
+-    if (isUrl) {
+-      return pathname;
+-    } else {
+-      return url.resolve(addSuffix(registry, '/'), pathname);
++    if (!REGEX_REGISTRY_PREFIX.test(pathname)) {
++      resolved = url.resolve(addSuffix(registry, '/'), pathname);
+     }
++
++    if (REGEX_REGISTRY_ENFORCED_HTTPS.test(resolved)) {
++      resolved = resolved.replace(/^http:\/\//, 'https://');
++    }
++
++    return resolved;
+   }
+ 
+   isRequestToRegistry(requestUrl: string, registryUrl: string): boolean {
diff --git a/debian/patches/series b/debian/patches/series
index f3c856f99..7c03222a8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 08-cli-table3.diff
 09-buffer_from.diff
 10-babel-plugin-inline-import.diff
+CVE-2019-5448.diff

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: