Bug#986175: unblock: underscore/1.9.1~dfsg-2
Control: tags -1 - moreinfo
Le 31/03/2021 à 09:52, Sebastian Ramacher a écrit :
> Control: tags -1 moreinfo
>
> On 2021-03-30 22:49:43, Yadd wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>> X-Debbugs-Cc: pkg-javascript-devel@lists.alioth.debian.org
>>
>> Please unblock package underscore
>>
>> [ Reason ]
>> underscore is vulnerable to arbitrary code execution (#986171,
>> CVE-2021-23358)
>>
>> [ Impact ]
>> CVE provided a PoC to prove arbitrary code execution
>>
>> [ Tests ]
>> I added a test to prove that bug is fixed (based on PoC). Test fails
>> with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2
>>
>> [ Risks ]
>> Patch is trivial. Note: I imported also Janitor changes: this breaks
>> nothing
>
> The patch looks fine, but please upload a version without the janitor
> changes. It's too late for those changes and they can wait for bookworm.
>
> Cheers
Hi,
thanks, done in version 1.9.1~dfsg-3
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 02cd807..3936261 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+underscore (1.9.1~dfsg-3) unstable; urgency=medium
+
+ * Team upload
+ * Revert Janitor changes as required by release team (#986175)
+
+ -- Yadd <yadd@debian.org> Wed, 31 Mar 2021 14:21:21 +0200
+
+underscore (1.9.1~dfsg-2) unstable; urgency=medium
+
+ * Team upload
+
+ [ Debian Janitor ]
+ * Bump debhelper dependency to >= 9, since that's what is used in
+ debian/compat.
+ * Bump debhelper from old 9 to 12.
+ * Set debhelper-compat version in Build-Depends.
+ * Set upstream metadata fields: Bug-Database, Repository, Repository-
+ Browse.
+ * Update standards version to 4.4.1, no changes needed.
+ * Set upstream metadata fields: Bug-Submit.
+ * Update standards version to 4.5.0, no changes needed.
+ * Apply multi-arch hints.
+ + node-underscore: Add Multi-Arch: foreign.
+
+ [ Yadd ]
+ * Mark autopkgtest as superficial
+ * Fix arbitrary code execution and add a test (Closes: #986171)
+
+ -- Yadd <yadd@debian.org> Tue, 30 Mar 2021 22:40:59 +0200
+
underscore (1.9.1~dfsg-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 0000000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp <dev@juliangonggrijp.com>
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2021-03-30
+
+--- a/underscore.js
++++ b/underscore.js
+@@ -1550,6 +1550,13 @@
+ return '\\' + escapes[match];
+ };
+
++ // In order to prevent third-party code injection through
++ // `_.templateSettings.variable`, we test it against the following regular
++ // expression. It is intentionally a bit more liberal than just matching valid
++ // identifiers, but still prevents possible loopholes through defaults or
++ // destructuring assignment.
++ var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+ // JavaScript micro-templating, similar to John Resig's implementation.
+ // Underscore templating handles arbitrary delimiters, preserves whitespace,
+ // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+ });
+ source += "';\n";
+
+- // If a variable is not specified, place data values in local scope.
+- if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++ var argument = settings.variable;
++ if (argument) {
++ // Insure against third-party code injection.
++ if (!bareIdentifier.test(argument)) throw new Error(
++ 'variable is not a bare identifier: ' + argument
++ );
++ } else {
++ // If a variable is not specified, place data values in local scope.
++ source = 'with(obj||{}){\n' + source + '}\n';
++ argument = 'obj';
++ }
+
+ source = "var __t,__p='',__j=Array.prototype.join," +
+ "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+
+ var render;
+ try {
+- render = new Function(settings.variable || 'obj', '_', source);
++ render = new Function(argument, '_', source);
+ } catch (e) {
+ e.source = source;
+ throw e;
+@@ -1605,7 +1621,6 @@
+ };
+
+ // Provide the compiled source as a convenience for precompilation.
+- var argument = settings.variable || 'obj';
+ template.source = 'function(' + argument + '){\n' + source + '}';
+
+ return template;
diff --git a/debian/patches/series b/debian/patches/series
index da362d2..7ddac86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
2001_docs_privacy.patch
+CVE-2021-23358.patch
diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358
new file mode 100755
index 0000000..a2ae590
--- /dev/null
+++ b/debian/tests/CVE-2021-23358
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if node debian/tests/CVE-2021-23358.js 2>/dev/null; then
+ rm -f HELLO
+ echo 'Vulnerable to CVE-2021-23358' >&2
+ exit 1
+else
+ echo
+ echo 'Not vulnerable to CVE-2021-23358'
+ exit 0
+fi
diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js
new file mode 100644
index 0000000..fad7c77
--- /dev/null
+++ b/debian/tests/CVE-2021-23358.js
@@ -0,0 +1,3 @@
+const _ = require('underscore');
+_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
+const t = _.template("")();
diff --git a/debian/tests/control b/debian/tests/control
index 7275831..868aa31 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1 +1,7 @@
Test-Command: node -e "require('underscore');"
+Depends: @
+Restrictions: superficial
+
+Tests: CVE-2021-23358
+Depends: @
+Restrictions: superficial
Reply to: