Bug#986175: unblock: underscore/1.9.1~dfsg-2
Control: tags -1 moreinfo
On 2021-03-30 22:49:43, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: pkg-javascript-devel@lists.alioth.debian.org
>
> Please unblock package underscore
>
> [ Reason ]
> underscore is vulnerable to arbitrary code execution (#986171,
> CVE-2021-23358)
>
> [ Impact ]
> CVE provided a PoC to prove arbitrary code execution
>
> [ Tests ]
> I added a test to prove that bug is fixed (based on PoC). Test fails
> with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2
>
> [ Risks ]
> Patch is trivial. Note: I imported also Janitor changes: this breaks
> nothing
The patch looks fine, but please upload a version without the janitor
changes. It's too late for those changes and they can wait for bookworm.
Cheers
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> [ Other ]
> I downgrade autopkgtest to "superficial" since nothing was really tested
> (just a node "require"). That's why I'm filing this ;-)
>
> Regards,
> Yadd
>
> unblock underscore/1.9.1~dfsg-2
> diff --git a/debian/changelog b/debian/changelog
> index 02cd807..fed9aa8 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,26 @@
> +underscore (1.9.1~dfsg-2) unstable; urgency=medium
> +
> + * Team upload
> +
> + [ Debian Janitor ]
> + * Bump debhelper dependency to >= 9, since that's what is used in
> + debian/compat.
> + * Bump debhelper from old 9 to 12.
> + * Set debhelper-compat version in Build-Depends.
> + * Set upstream metadata fields: Bug-Database, Repository, Repository-
> + Browse.
> + * Update standards version to 4.4.1, no changes needed.
> + * Set upstream metadata fields: Bug-Submit.
> + * Update standards version to 4.5.0, no changes needed.
> + * Apply multi-arch hints.
> + + node-underscore: Add Multi-Arch: foreign.
> +
> + [ Yadd ]
> + * Mark autopkgtest as superficial
> + * Fix arbitrary code execution and add a test (Closes: #986171)
> +
> + -- Yadd <yadd@debian.org> Tue, 30 Mar 2021 22:40:59 +0200
> +
> underscore (1.9.1~dfsg-1) unstable; urgency=medium
>
> [ upstream ]
> diff --git a/debian/compat b/debian/compat
> deleted file mode 100644
> index ec63514..0000000
> --- a/debian/compat
> +++ /dev/null
> @@ -1 +0,0 @@
> -9
> diff --git a/debian/control b/debian/control
> index cb1e7e9..fc1d26b 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -7,11 +7,11 @@ Uploaders:
> David Paleino <dapal@debian.org>,
> Build-Depends:
> brotli,
> - debhelper,
> + debhelper-compat (= 12),
> node-source-map,
> pigz,
> uglifyjs (>= 3),
> -Standards-Version: 4.3.0
> +Standards-Version: 4.5.0
> Homepage: https://underscorejs.org/
> Vcs-Browser: https://salsa.debian.org/js-team/underscore
> Vcs-Git: https://salsa.debian.org/js-team/underscore.git
> @@ -44,6 +44,7 @@ Depends:
> libjs-underscore,
> nodejs,
> ${misc:Depends},
> +Multi-Arch: foreign
> Description: JavaScript's functional programming helper library - NodeJS
> Underscore is a utility-belt library for JavaScript that provides a lot
> of the functional programming support that you would expect in
> diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch
> new file mode 100644
> index 0000000..2ba4118
> --- /dev/null
> +++ b/debian/patches/CVE-2021-23358.patch
> @@ -0,0 +1,62 @@
> +Description: fix arbitrary code execution
> +Author: Julian Gonggrijp <dev@juliangonggrijp.com>
> +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
> +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
> +Bug-Debian: https://bugs.debian.org/986171
> +Forwarded: not-needed
> +Reviewed-By: Xavier Guimard <yadd@debian.org>
> +Last-Update: 2021-03-30
> +
> +--- a/underscore.js
> ++++ b/underscore.js
> +@@ -1550,6 +1550,13 @@
> + return '\\' + escapes[match];
> + };
> +
> ++ // In order to prevent third-party code injection through
> ++ // `_.templateSettings.variable`, we test it against the following regular
> ++ // expression. It is intentionally a bit more liberal than just matching valid
> ++ // identifiers, but still prevents possible loopholes through defaults or
> ++ // destructuring assignment.
> ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/;
> ++
> + // JavaScript micro-templating, similar to John Resig's implementation.
> + // Underscore templating handles arbitrary delimiters, preserves whitespace,
> + // and correctly escapes quotes within interpolated code.
> +@@ -1585,8 +1592,17 @@
> + });
> + source += "';\n";
> +
> +- // If a variable is not specified, place data values in local scope.
> +- if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
> ++ var argument = settings.variable;
> ++ if (argument) {
> ++ // Insure against third-party code injection.
> ++ if (!bareIdentifier.test(argument)) throw new Error(
> ++ 'variable is not a bare identifier: ' + argument
> ++ );
> ++ } else {
> ++ // If a variable is not specified, place data values in local scope.
> ++ source = 'with(obj||{}){\n' + source + '}\n';
> ++ argument = 'obj';
> ++ }
> +
> + source = "var __t,__p='',__j=Array.prototype.join," +
> + "print=function(){__p+=__j.call(arguments,'');};\n" +
> +@@ -1594,7 +1610,7 @@
> +
> + var render;
> + try {
> +- render = new Function(settings.variable || 'obj', '_', source);
> ++ render = new Function(argument, '_', source);
> + } catch (e) {
> + e.source = source;
> + throw e;
> +@@ -1605,7 +1621,6 @@
> + };
> +
> + // Provide the compiled source as a convenience for precompilation.
> +- var argument = settings.variable || 'obj';
> + template.source = 'function(' + argument + '){\n' + source + '}';
> +
> + return template;
> diff --git a/debian/patches/series b/debian/patches/series
> index da362d2..7ddac86 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1 +1,2 @@
> 2001_docs_privacy.patch
> +CVE-2021-23358.patch
> diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358
> new file mode 100755
> index 0000000..a2ae590
> --- /dev/null
> +++ b/debian/tests/CVE-2021-23358
> @@ -0,0 +1,11 @@
> +#!/bin/sh
> +
> +if node debian/tests/CVE-2021-23358.js 2>/dev/null; then
> + rm -f HELLO
> + echo 'Vulnerable to CVE-2021-23358' >&2
> + exit 1
> +else
> + echo
> + echo 'Not vulnerable to CVE-2021-23358'
> + exit 0
> +fi
> diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js
> new file mode 100644
> index 0000000..fad7c77
> --- /dev/null
> +++ b/debian/tests/CVE-2021-23358.js
> @@ -0,0 +1,3 @@
> +const _ = require('underscore');
> +_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
> +const t = _.template("")();
> diff --git a/debian/tests/control b/debian/tests/control
> index 7275831..868aa31 100644
> --- a/debian/tests/control
> +++ b/debian/tests/control
> @@ -1 +1,7 @@
> Test-Command: node -e "require('underscore');"
> +Depends: @
> +Restrictions: superficial
> +
> +Tests: CVE-2021-23358
> +Depends: @
> +Restrictions: superficial
> diff --git a/debian/upstream/metadata b/debian/upstream/metadata
> new file mode 100644
> index 0000000..ae91ed7
> --- /dev/null
> +++ b/debian/upstream/metadata
> @@ -0,0 +1,4 @@
> +Bug-Database: https://github.com/jashkenas/underscore/issues
> +Repository: https://github.com/jashkenas/underscore.git
> +Repository-Browse: https://github.com/jashkenas/underscore
> +Bug-Submit: https://github.com/jashkenas/underscore/issues/new
--
Sebastian Ramacher
Reply to: