Bug#987041: unblock: node-handlebars/4.7.6+~4.1.0-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-handlebars
[ Reason ]
node-handlebars is vulnerable to Remote Code Execution (RCE)
(CVE-2021-23369).
[ Impact ]
Medium vulnerability
[ Tests ]
Yes, code passed (build & autopkgtest), including new checks
[ Risks ]
Low risk; change is trivial (upstream patch applied without any change)
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-handlebars/4.7.6+~4.1.0-2
diff --git a/debian/changelog b/debian/changelog
index 675dba0..215d5a2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-handlebars (3:4.7.6+~4.1.0-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix remote code execution (Closes: CVE-2021-23369)
+
+ -- Yadd <yadd@debian.org> Fri, 16 Apr 2021 10:19:56 +0200
+
node-handlebars (3:4.7.6+~4.1.0-1) unstable; urgency=medium
[ Xavier Guimard ]
diff --git a/debian/patches/CVE-2021-23369.patch b/debian/patches/CVE-2021-23369.patch
new file mode 100644
index 0000000..98ee3fc
--- /dev/null
+++ b/debian/patches/CVE-2021-23369.patch
@@ -0,0 +1,80 @@
+Description: fix Remote Code Execution (RCE)
+ when selecting certain compiling options to compile templates coming from an
+ untrusted source.
+Author: Nils Knappmeier <npm@knappi.org>
+Origin: upstream, https://github.com/handlebars-lang/handlebars.js/commit/b6d3de71
+ https://github.com/handlebars-lang/handlebars.js/commit/f0589701
+Bug: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-16
+
+--- a/lib/handlebars/compiler/javascript-compiler.js
++++ b/lib/handlebars/compiler/javascript-compiler.js
+@@ -16,7 +16,12 @@
+ return this.internalNameLookup(parent, name);
+ },
+ depthedLookup: function(name) {
+- return [this.aliasable('container.lookup'), '(depths, "', name, '")'];
++ return [
++ this.aliasable('container.lookup'),
++ '(depths, ',
++ JSON.stringify(name),
++ ')'
++ ];
+ },
+
+ compilerInfo: function() {
+--- a/lib/handlebars/runtime.js
++++ b/lib/handlebars/runtime.js
+@@ -124,7 +124,7 @@
+ loc: loc
+ });
+ }
+- return obj[name];
++ return container.lookupProperty(obj, name);
+ },
+ lookupProperty: function(parent, propertyName) {
+ let result = parent[propertyName];
+--- a/spec/security.js
++++ b/spec/security.js
+@@ -320,6 +320,10 @@
+ checkProtoPropertyAccess({ compat: true });
+ });
+
++ describe('in strict-mode', function() {
++ checkProtoPropertyAccess({ strict: true });
++ });
++
+ function checkProtoPropertyAccess(compileOptions) {
+ it('should be prohibited by default and log a warning', function() {
+ var spy = sinon.spy(console, 'error');
+@@ -418,6 +422,28 @@
+ });
+ });
+ });
++
++ describe('escapes template variables', function() {
++ it('in compat mode', function() {
++ expectTemplate("{{'a\\b'}}")
++ .withCompileOptions({ compat: true })
++ .withInput({ 'a\\b': 'c' })
++ .toCompileTo('c');
++ });
++
++ it('in default mode', function() {
++ expectTemplate("{{'a\\b'}}")
++ .withCompileOptions()
++ .withInput({ 'a\\b': 'c' })
++ .toCompileTo('c');
++ });
++ it('in default mode', function() {
++ expectTemplate("{{'a\\b'}}")
++ .withCompileOptions({ strict: true })
++ .withInput({ 'a\\b': 'c' })
++ .toCompileTo('c');
++ });
++ });
+ });
+
+ function wrapToAdjustContainer(precompiledTemplateFunction) {
diff --git a/debian/patches/series b/debian/patches/series
index 35bc292..d613930 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ skip-some-modules.patch
disable-bg-shell-plugin.patch
use-babel7.patch
use-global-object-this.patch
+CVE-2021-23369.patch
Reply to: