Bug#930112: stretch-pu: package node-growl/1.7.0-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi all,
node-growl in stretch is vulnerable to #900868 / CVE-2017-16042. I
imported upstream patch and embedded the little shell-escape module.
Cheers,
Xavier
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 887691d..f98c7b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-growl (1.7.0-1+deb9u1) stretch; urgency=medium
+
+ * Sanitize input before passing it to exec. This embeds shell-escape little
+ module (Closes: #900868, CVE-2017-16042)
+
+ -- Xavier Guimard <yadd@debian.org> Fri, 07 Jun 2019 12:14:09 +0200
+
node-growl (1.7.0-1) unstable; urgency=low
* Initial release (closes: #704930).
diff --git a/debian/copyright b/debian/copyright
index cee6c0b..345297b 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: node-growl
Upstream-Contact: https://github.com/visionmedia/node-growl/issues
Source: https://github.com/visionmedia/node-growl
@@ -6,7 +6,7 @@ Copyright: Copyright (C) 2009- TJ Holowaychuk <tj@vision-media.ca>
Files: *
Copyright: Copyright (C) 2009- TJ Holowaychuk <tj@vision-media.ca>
-License: MIT
+License: Expat
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation
files (the "Software"), to deal in the Software without
@@ -46,3 +46,31 @@ License: GPL-3+
.
On Debian systems, the complete text of the GNU General Public
License can be found in the file `/usr/share/common-licenses/GPL-3'.
+
+Files: debian/node_modules/shell-escape/*
+Copyright: Martin PANEL <https://github.com/xxorax>
+License: Expat
+ Permission is hereby granted, free of charge, to any person
+ obtaining a copy of this software and associated documentation
+ files (the "Software"), to deal in the Software without
+ restriction, including without limitation the rights to use,
+ copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the
+ Software is furnished to do so, subject to the following
+ conditions:
+ .
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+ OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+ HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ OTHER DEALINGS IN THE SOFTWARE.
+Comment: The upstream distribution does not contain an explicit statement of
+ copyright ownership. Pursuant to the Berne Convention for the Protection of
+ Literary and Artistic Works, it is assumed that all content is copyright by
+ its respective authors unless otherwise stated.
diff --git a/debian/install b/debian/install
index f58f353..d76cfab 100644
--- a/debian/install
+++ b/debian/install
@@ -1 +1,3 @@
-lib/* usr/lib/nodejs/
+package.json usr/lib/nodejs/growl
+lib usr/lib/nodejs/growl/
+debian/node_modules usr/lib/nodejs/growl/
diff --git a/debian/node_modules/shell-escape/package.json b/debian/node_modules/shell-escape/package.json
new file mode 100644
index 0000000..78338bd
--- /dev/null
+++ b/debian/node_modules/shell-escape/package.json
@@ -0,0 +1,52 @@
+{
+ "_from": "shell-escape",
+ "_id": "shell-escape@0.2.0",
+ "_inBundle": false,
+ "_integrity": "sha1-aP0CXrBJC09WegJ/C/IkgLX4QTM=",
+ "_location": "/shell-escape",
+ "_phantomChildren": {},
+ "_requested": {
+ "type": "tag",
+ "registry": true,
+ "raw": "shell-escape",
+ "name": "shell-escape",
+ "escapedName": "shell-escape",
+ "rawSpec": "",
+ "saveSpec": null,
+ "fetchSpec": "latest"
+ },
+ "_requiredBy": [
+ "#USER",
+ "/"
+ ],
+ "_resolved": "https://registry.npmjs.org/shell-escape/-/shell-escape-0.2.0.tgz",
+ "_shasum": "68fd025eb0490b4f567a027f0bf22480b5f84133",
+ "_spec": "shell-escape",
+ "_where": "/home/xavier/dev/debian/packages/node-growl",
+ "author": "",
+ "bugs": {
+ "url": "https://github.com/xxorax/node-shell-escape/issues"
+ },
+ "bundleDependencies": false,
+ "dependencies": {},
+ "deprecated": false,
+ "description": "Escape and stringify an array of arguments to be executed on the shell",
+ "homepage": "https://github.com/xxorax/node-shell-escape#readme",
+ "keywords": [
+ "shell",
+ "escape",
+ "bash",
+ "escapeshellarg"
+ ],
+ "license": "MIT",
+ "main": "./shell-escape.js",
+ "name": "shell-escape",
+ "repository": {
+ "type": "git",
+ "url": "git://github.com/xxorax/node-shell-escape.git"
+ },
+ "scripts": {
+ "test": "for f in test/*; do echo \"$f\"; node \"$f\" || exit 1; echo; done; echo Passed; exit 0"
+ },
+ "version": "0.2.0"
+}
diff --git a/debian/node_modules/shell-escape/shell-escape.js b/debian/node_modules/shell-escape/shell-escape.js
new file mode 100644
index 0000000..6d52ebd
--- /dev/null
+++ b/debian/node_modules/shell-escape/shell-escape.js
@@ -0,0 +1,17 @@
+module.exports = shellescape;
+
+// return a shell compatible format
+function shellescape(a) {
+ var ret = [];
+
+ a.forEach(function(s) {
+ if (!/^[A-Za-z0-9_\/-]+$/.test(s)) {
+ s = "'"+s.replace(/'/g,"'\\''")+"'";
+ s = s.replace(/^(?:'')+/g, '') // unduplicate single-quote at the beginning
+ .replace(/\\'''/g, "\\'" ); // remove non-escaped single-quote if there are enclosed between 2 escaped
+ }
+ ret.push(s);
+ });
+
+ return ret.join(' ');
+}
diff --git a/debian/patches/CVE-2017-16042.patch b/debian/patches/CVE-2017-16042.patch
new file mode 100644
index 0000000..956b482
--- /dev/null
+++ b/debian/patches/CVE-2017-16042.patch
@@ -0,0 +1,97 @@
+Description: Fix for CVE-2017-16042
+ node-growl does not properly sanitize input before passing it to exec.
+Author: Zsolt Imre <https://github.com/keymandll>
+Origin: upstream, https://github.com/tj/node-growl/commit/d9f6ea2f
+Bug: https://github.com/tj/node-growl/issues/60
+Bug-Debian: https://bugs.debian.org/900868
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-06-07
+
+--- a/lib/growl.js
++++ b/lib/growl.js
+@@ -9,7 +9,7 @@
+ , path = require('path')
+ , exists = fs.existsSync || path.existsSync
+ , os = require('os')
+- , quote = JSON.stringify
++ , shellescape = require('shell-escape')
+ , cmd;
+
+ function which(name) {
+@@ -169,7 +169,7 @@
+ if (!options.sticky) args.push('--hint=int:transient:1');
+ break;
+ case 'Windows':
+- args.push(cmd.icon + quote(image));
++ args.push(cmd.icon + image);
+ break;
+ }
+ }
+@@ -194,41 +194,41 @@
+ switch(cmd.type) {
+ case 'Darwin-Growl':
+ args.push(cmd.msg);
+- args.push(quote(msg));
+- if (options.title) args.push(quote(options.title));
++ args.push(msg);
++ if (options.title) args.push(options.title);
+ break;
+ case 'Darwin-NotificationCenter':
+ args.push(cmd.msg);
+- args.push(quote(msg));
++ args.push(msg);
+ if (options.title) {
+ args.push(cmd.title);
+- args.push(quote(options.title));
++ args.push(options.title);
+ }
+ if (options.subtitle) {
+ args.push(cmd.subtitle);
+- args.push(quote(options.title));
++ args.push(options.title);
+ }
+ break;
+ case 'Darwin-Growl':
+ args.push(cmd.msg);
+- args.push(quote(msg));
+- if (options.title) args.push(quote(options.title));
++ args.push(msg);
++ if (options.title) args.push(options.title);
+ break;
+ case 'Linux':
+ if (options.title) {
+- args.push(quote(options.title));
++ args.push(options.title);
+ args.push(cmd.msg);
+- args.push(quote(msg));
++ args.push(msg);
+ } else {
+- args.push(quote(msg));
++ args.push(msg);
+ }
+ break;
+ case 'Windows':
+- args.push(quote(msg));
+- if (options.title) args.push(cmd.title + quote(options.title));
++ args.push(msg);
++ if (options.title) args.push(cmd.title + options.title);
+ break;
+ }
+
+ // execute
+- exec(args.join(' '), fn);
++ exec(shellescape(args), fn);
+ };
+--- a/package.json
++++ b/package.json
+@@ -3,5 +3,8 @@
+ "version": "1.7.0",
+ "description": "Growl unobtrusive notifications",
+ "author": "TJ Holowaychuk <tj@vision-media.ca>",
+- "main": "./lib/growl.js"
++ "main": "./lib/growl.js",
++ "dependencies": {
++ "shell-escape": "^0.2.0"
++ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..88b770c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16042.patch
diff --git a/debian/rules b/debian/rules
index efbb973..4610eca 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,7 +5,7 @@
#export DH_VERBOSE=1
override_dh_auto_test:
- nodejs $(CURDIR)/test.js
+ NODE_PATH=debian/node_modules nodejs $(CURDIR)/test.js
%:
dh $@
Reply to: