--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
grunt is vulnerable to a medium CVE (CVE-2020-7729, #969668)
[ Impact ]
The package grunt before 1.3.0 are vulnerable to Arbitrary Code
Execution due to the default usage of the function load() instead of
its secure replacement safeLoad() of the package js-yaml inside
grunt.file.readYAML.
[ Tests ]
Patch contains new upstream test. autopkgtest is OK
[ Risks ]
Low risk: the patch just adds some checks
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Upstream patch is imported without changes. It adds some checks during
YAML file read and a little test.
[ Other info ]
Thanks for your work!
diff --git a/debian/changelog b/debian/changelog
index eaf56cc..f15438c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+grunt (1.0.1-8+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Use `safeLoad` for loading YML files via `file.readYAML`
+ (Closes: #969668, CVE-2020-7729)
+
+ -- Xavier Guimard <yadd@debian.org> Sun, 06 Sep 2020 23:41:10 +0200
+
grunt (1.0.1-8) unstable; urgency=medium
[ Harish K ]
diff --git a/debian/patches/CVE-2020-7729.patch b/debian/patches/CVE-2020-7729.patch
new file mode 100644
index 0000000..64bed12
--- /dev/null
+++ b/debian/patches/CVE-2020-7729.patch
@@ -0,0 +1,53 @@
+Description: Switch to use `safeLoad` for loading YML files via `file.readYAML`.
+Author: Vlad Filippov <vlad.filippov@gmail.com>
+Origin: upstream, https://github.com/gruntjs/grunt/commit/e350cea1
+Bug: https://snyk.io/vuln/SNYK-JS-GRUNT-597546
+Bug-Debian: https://bugs.debian.org/969668
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-09-06
+
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -252,12 +252,21 @@
+ };
+
+ // Read a YAML file, parse its contents, return an object.
+-file.readYAML = function(filepath, options) {
++file.readYAML = function(filepath, options, yamlOptions) {
++ if (!options) { options = {}; }
++ if (!yamlOptions) { yamlOptions = {}; }
++
+ var src = file.read(filepath, options);
+ var result;
+ grunt.verbose.write('Parsing ' + filepath + '...');
+ try {
+- result = YAML.load(src);
++ // use the recommended way of reading YAML files
++ // https://github.com/nodeca/js-yaml#safeload-string---options-
++ if (yamlOptions.unsafeLoad) {
++ result = YAML.load(src);
++ } else {
++ result = YAML.safeLoad(src);
++ }
+ grunt.verbose.ok();
+ return result;
+ } catch (e) {
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -452,10 +452,13 @@
+ test.done();
+ },
+ 'readYAML': function(test) {
+- test.expect(3);
++ test.expect(4);
+ var obj;
+ obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+- test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.');
++ test.deepEqual(obj, this.object, 'file should be safely read as utf8 by default and parsed correctly.');
++
++ obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true});
++ test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by default and parsed correctly.');
+
+ obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'});
+ test.deepEqual(obj, this.object, 'file should be read using the specified encoding.');
diff --git a/debian/patches/series b/debian/patches/series
index fcd76bd..a874060 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
add-root-variable.patch
reproducible-build.patch
adapt-gruntfile.patch
+CVE-2020-7729.patch
--- End Message ---