[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#986175: marked as done (unblock: underscore/1.9.1~dfsg-2)

Your message dated Wed, 31 Mar 2021 13:05:05 +0000
with message-id <E1lRaWv-0004pe-Fj@respighi.debian.org>
and subject line unblock underscore
has caused the Debian Bug report #986175,
regarding unblock: underscore/1.9.1~dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986175: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986175
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-devel@lists.alioth.debian.org

Please unblock package underscore

[ Reason ]
underscore is vulnerable to arbitrary code execution (#986171,
CVE-2021-23358)

[ Impact ]
CVE provided a PoC to prove arbitrary code execution

[ Tests ]
I added a test to prove that bug is fixed (based on PoC). Test fails
with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2

[ Risks ]
Patch is trivial. Note: I imported also Janitor changes: this breaks
nothing

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other ]
I downgrade autopkgtest to "superficial" since nothing was really tested
(just a node "require"). That's why I'm filing this ;-)

Regards,
Yadd

unblock underscore/1.9.1~dfsg-2

diff --git a/debian/changelog b/debian/changelog
index 02cd807..fed9aa8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+underscore (1.9.1~dfsg-2) unstable; urgency=medium
+
+  * Team upload
+
+  [ Debian Janitor ]
+  * Bump debhelper dependency to >= 9, since that's what is used in
+    debian/compat.
+  * Bump debhelper from old 9 to 12.
+  * Set debhelper-compat version in Build-Depends.
+  * Set upstream metadata fields: Bug-Database, Repository, Repository-
+    Browse.
+  * Update standards version to 4.4.1, no changes needed.
+  * Set upstream metadata fields: Bug-Submit.
+  * Update standards version to 4.5.0, no changes needed.
+  * Apply multi-arch hints.
+    + node-underscore: Add Multi-Arch: foreign.
+
+  [ Yadd ]
+  * Mark autopkgtest as superficial
+  * Fix arbitrary code execution and add a test (Closes: #986171)
+
+ -- Yadd <yadd@debian.org>  Tue, 30 Mar 2021 22:40:59 +0200
+
 underscore (1.9.1~dfsg-1) unstable; urgency=medium
 
   [ upstream ]
diff --git a/debian/compat b/debian/compat
deleted file mode 100644
index ec63514..0000000
--- a/debian/compat
+++ /dev/null
@@ -1 +0,0 @@
-9
diff --git a/debian/control b/debian/control
index cb1e7e9..fc1d26b 100644
--- a/debian/control
+++ b/debian/control
@@ -7,11 +7,11 @@ Uploaders:
  David Paleino <dapal@debian.org>,
 Build-Depends:
  brotli,
- debhelper,
+ debhelper-compat (= 12),
  node-source-map,
  pigz,
  uglifyjs (>= 3),
-Standards-Version: 4.3.0
+Standards-Version: 4.5.0
 Homepage: https://underscorejs.org/
 Vcs-Browser: https://salsa.debian.org/js-team/underscore
 Vcs-Git: https://salsa.debian.org/js-team/underscore.git
@@ -44,6 +44,7 @@ Depends:
  libjs-underscore,
  nodejs,
  ${misc:Depends},
+Multi-Arch: foreign
 Description: JavaScript's functional programming helper library - NodeJS
  Underscore is a utility-belt library for JavaScript that provides a lot
  of the functional programming support that you would expect in
diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 0000000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp <dev@juliangonggrijp.com>
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2021-03-30
+
+--- a/underscore.js
++++ b/underscore.js
+@@ -1550,6 +1550,13 @@
+     return '\\' + escapes[match];
+   };
+ 
++  // In order to prevent third-party code injection through
++  // `_.templateSettings.variable`, we test it against the following regular
++  // expression. It is intentionally a bit more liberal than just matching valid
++  // identifiers, but still prevents possible loopholes through defaults or
++  // destructuring assignment.
++  var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+   // JavaScript micro-templating, similar to John Resig's implementation.
+   // Underscore templating handles arbitrary delimiters, preserves whitespace,
+   // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+     });
+     source += "';\n";
+ 
+-    // If a variable is not specified, place data values in local scope.
+-    if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++    var argument = settings.variable;
++    if (argument) {
++      // Insure against third-party code injection.
++      if (!bareIdentifier.test(argument)) throw new Error(
++        'variable is not a bare identifier: ' + argument
++      );
++    } else {
++      // If a variable is not specified, place data values in local scope.
++      source = 'with(obj||{}){\n' + source + '}\n';
++      argument = 'obj';
++    }
+ 
+     source = "var __t,__p='',__j=Array.prototype.join," +
+       "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+ 
+     var render;
+     try {
+-      render = new Function(settings.variable || 'obj', '_', source);
++      render = new Function(argument, '_', source);
+     } catch (e) {
+       e.source = source;
+       throw e;
+@@ -1605,7 +1621,6 @@
+     };
+ 
+     // Provide the compiled source as a convenience for precompilation.
+-    var argument = settings.variable || 'obj';
+     template.source = 'function(' + argument + '){\n' + source + '}';
+ 
+     return template;
diff --git a/debian/patches/series b/debian/patches/series
index da362d2..7ddac86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 2001_docs_privacy.patch
+CVE-2021-23358.patch
diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358
new file mode 100755
index 0000000..a2ae590
--- /dev/null
+++ b/debian/tests/CVE-2021-23358
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if node debian/tests/CVE-2021-23358.js 2>/dev/null; then
+	rm -f HELLO
+	echo 'Vulnerable to CVE-2021-23358' >&2
+	exit 1
+else
+	echo
+	echo 'Not vulnerable to CVE-2021-23358'
+	exit 0
+fi
diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js
new file mode 100644
index 0000000..fad7c77
--- /dev/null
+++ b/debian/tests/CVE-2021-23358.js
@@ -0,0 +1,3 @@
+const _ = require('underscore');
+_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
+const t = _.template("")();
diff --git a/debian/tests/control b/debian/tests/control
index 7275831..868aa31 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1 +1,7 @@
 Test-Command: node -e "require('underscore');"
+Depends: @
+Restrictions: superficial
+
+Tests: CVE-2021-23358
+Depends: @
+Restrictions: superficial
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..ae91ed7
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,4 @@
+Bug-Database: https://github.com/jashkenas/underscore/issues
+Repository: https://github.com/jashkenas/underscore.git
+Repository-Browse: https://github.com/jashkenas/underscore
+Bug-Submit: https://github.com/jashkenas/underscore/issues/new

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: