Bug#989225: unblock: nim/1.4.6+really1.4.2-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989225: unblock: nim/1.4.6+really1.4.2-2
From: Federico Ceratto <federico@debian.org>
Date: Sat, 29 May 2021 13:36:32 +0100
Message-id: <[🔎] 162229179204.1250332.6711734414595869652.reportbug@tux>
Reply-to: Federico Ceratto <federico@debian.org>, 989225@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nim to fix #987272

[ Reason ]
The package currently in Bullseye (1.4.2-1) is affected by:
CVE-2021-21372 CVE-2021-21373 CVE-2021-21374 CVE-2021-29495

[ Impact ]
The vulnerabilities would not be addressed

[ Tests ]
Run the default unit test suite and manual tests

[ Risks ]
Low. The security fixes has been backported from upstream
releases using small quilt patches.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
N/A

unblock nim/1.4.6+really1.4.2-2

diff -Nru nim-1.4.2/debian/changelog nim-1.4.6+really1.4.2/debian/changelog
--- nim-1.4.2/debian/changelog	2020-12-02 13:39:46.000000000 +0000
+++ nim-1.4.6+really1.4.2/debian/changelog	2021-05-13 14:09:37.000000000 +0100
@@ -1,3 +1,17 @@
+nim (1.4.6+really1.4.2-2) unstable; urgency=medium
+
+  * Rebuild
+
+ -- Federico Ceratto <federico@debian.org>  Thu, 13 May 2021 14:09:37 +0100
+
+nim (1.4.6+really1.4.2-1) unstable; urgency=medium
+
+  * Upload 1.4.2 as 1.4.6+really1.4.2-1 (Closes: #987279)
+  * Security update for CVE-2021-21372 CVE-2021-21373
+    CVE-2021-21374 CVE-2021-29495 (Closes: #87272)
+
+ -- Federico Ceratto <federico@debian.org>  Fri, 07 May 2021 21:42:48 +0100
+
 nim (1.4.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru nim-1.4.2/debian/patches/check-ssl-certs.patch nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch
--- nim-1.4.2/debian/patches/check-ssl-certs.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,42 @@
+Subject: CVE-2021-29495 Check SSL certs by default; fix cert load error handling
+Origin: vendor
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-9vqv-2jj9-7mqr
+Forwarded: not-needed
+
+--- a/lib/pure/httpclient.nim
++++ b/lib/pure/httpclient.nim
+@@ -321,7 +321,7 @@
+   result = defaultSslContext
+   when defined(ssl):
+     if result == nil:
+-      defaultSslContext = newContext(verifyMode = CVerifyNone)
++      defaultSslContext = newContext(verifyMode = CVerifyPeer)
+       result = defaultSslContext
+       doAssert result != nil, "failure to initialize the SSL context"
+ 
+--- a/lib/pure/net.nim
++++ b/lib/pure/net.nim
+@@ -626,11 +626,12 @@
+     discard newCTX.SSLCTXSetMode(SSL_MODE_AUTO_RETRY)
+     newCTX.loadCertificates(certFile, keyFile)
+ 
+-    when not defined(nimDisableCertificateValidation) and not defined(windows):
++    const VerifySuccess = 1 # SSL_CTX_load_verify_locations returns 1 on success.
++    when not defined(nimDisableCertificateValidation):
+       if verifyMode != CVerifyNone:
+         # Use the caDir and caFile parameters if set
+         if caDir != "" or caFile != "":
+-          if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != 0:
++          if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != VerifySuccess:
+             raise newException(IOError, "Failed to load SSL/TLS CA certificate(s).")
+ 
+         else:
+@@ -638,7 +639,7 @@
+           # the SSL_CERT_FILE and SSL_CERT_DIR env vars
+           var found = false
+           for fn in scanSSLCertificates():
+-            if newCTX.SSL_CTX_load_verify_locations(fn, "") == 0:
++            if newCTX.SSL_CTX_load_verify_locations(fn, nil) == VerifySuccess:
+               found = true
+               break
+           if not found:
diff -Nru nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch
--- nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,68 @@
+Subject: Fix CVE-2021-21374 Nimble SSL certificate checking
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/packageinfo.nim
++++ b/dist/nimble/src/nimblepkg/packageinfo.nim
+@@ -4,6 +4,7 @@
+ # Stdlib imports
+ import system except TResult
+ import hashes, json, strutils, os, sets, tables, httpclient
++from net import SSLError
+ 
+ # Local imports
+ import version, tools, common, options, cli, config
+@@ -199,8 +200,12 @@
+                 priority = LowPriority)
+ 
+       try:
+-        let client = newHttpClient(proxy = proxy)
++        let ctx = newSSLContext()
++        let client = newHttpClient(proxy = proxy, sslContext = ctx)
+         client.downloadFile(url, tempPath)
++      except SslError:
++        let message = "Failed to verify the SSL certificate for " & url
++        raiseNimbleError(message, "")
+       except:
+         let message = "Could not download: " & getCurrentExceptionMsg()
+         display("Warning:", message, Warning)
+--- a/dist/nimble/src/nimblepkg/publish.nim
++++ b/dist/nimble/src/nimblepkg/publish.nim
+@@ -7,6 +7,7 @@
+ import system except TResult
+ import httpclient, strutils, json, os, browsers, times, uri
+ import version, tools, common, cli, config, options
++from net import SslCVerifyMode, newContext
+ 
+ type
+   Auth = object
+@@ -51,7 +52,8 @@
+ 
+ proc getGithubAuth(o: Options): Auth =
+   let cfg = o.config
+-  result.http = newHttpClient(proxy = getProxy(o))
++  let ctx = newSSLContext()
++  result.http = newHttpClient(proxy = getProxy(o), sslContext = ctx)
+   # always prefer the environment variable to asking for a new one
+   if existsEnv(ApiTokenEnvironmentVariable):
+     result.token = getEnv(ApiTokenEnvironmentVariable)
+--- a/dist/nimble/src/nimblepkg/tools.nim
++++ b/dist/nimble/src/nimblepkg/tools.nim
+@@ -4,6 +4,7 @@
+ # Various miscellaneous utility functions reside here.
+ import osproc, pegs, strutils, os, uri, sets, json, parseutils
+ import version, cli, options
++from net import SslCVerifyMode, newContext, SslContext
+ 
+ proc extractBin(cmd: string): string =
+   if cmd[0] == '"':
+@@ -164,3 +165,7 @@
+   else:
+     tmpdir = getTempDir()
+   return tmpdir
++
++
++proc newSSLContext*(): SslContext =
++  return newContext(verifyMode = CVerifyPeer)
diff -Nru nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch
--- nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,29 @@
+Subject: Fix CVE-2021-21372 Nimble doCmd Remote Code Execution
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/download.nim
++++ b/dist/nimble/src/nimblepkg/download.nim
+@@ -88,7 +88,7 @@
+   result = @[]
+   case meth
+   of DownloadMethod.git:
+-    var (output, exitCode) = doCmdEx("git ls-remote --tags " & url)
++    var (output, exitCode) = doCmdEx("git ls-remote --tags " & url.quoteShell())
+     if exitCode != QuitSuccess:
+       raise newException(OSError, "Unable to query remote tags for " & url &
+           ". Git returned: " & output)
+@@ -136,9 +136,9 @@
+ 
+ proc checkUrlType*(url: string): DownloadMethod =
+   ## Determines the download method based on the URL.
+-  if doCmdEx("git ls-remote " & url).exitCode == QuitSuccess:
++  if doCmdEx("git ls-remote " & url.quoteShell()).exitCode == QuitSuccess:
+     return DownloadMethod.git
+-  elif doCmdEx("hg identify " & url).exitCode == QuitSuccess:
++  elif doCmdEx("hg identify " & url.quoteShell()).exitCode == QuitSuccess:
+     return DownloadMethod.hg
+   else:
+     raise newException(NimbleError, "Unable to identify url: " & url)
diff -Nru nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch
--- nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,45 @@
+Subject: Fix CVE-2021-21373 Nimble should use HTTPS URLs
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/config.nim
++++ b/dist/nimble/src/nimblepkg/config.nim
+@@ -28,8 +28,8 @@
+   result.packageLists = initTable[string, PackageList]()
+   let defaultPkgList = PackageList(name: "Official", urls: @[
+     "https://github.com/nim-lang/packages/raw/master/packages.json";,
+-    "http://irclogs.nim-lang.org/packages.json";,
+-    "http://nim-lang.org/nimble/packages.json";
++    "https://irclogs.nim-lang.org/packages.json";,
++    "https://nim-lang.org/nimble/packages.json";
+   ])
+   result.packageLists["official"] = defaultPkgList
+ 
+--- a/dist/nimble/tests/tester.nim
++++ b/dist/nimble/tests/tester.nim
+@@ -122,10 +122,10 @@
+       writeFile(configFile, """
+         [PackageList]
+         name = "official"
+-        url = "http://google.com";
+-        url = "http://google.com/404";
+-        url = "http://irclogs.nim-lang.org/packages.json";
+-        url = "http://nim-lang.org/nimble/packages.json";
++        url = "https://google.com";
++        url = "https://google.com/404";
++        url = "https://irclogs.nim-lang.org/packages.json";
++        url = "https://nim-lang.org/nimble/packages.json";
+         url = "https://github.com/nim-lang/packages/raw/master/packages.json";
+       """.unindent)
+ 
+@@ -135,7 +135,7 @@
+       check exitCode == QuitSuccess
+       check inLines(lines, "config file at")
+       check inLines(lines, "official package list")
+-      check inLines(lines, "http://google.com";)
++      check inLines(lines, "https://google.com";)
+       check inLines(lines, "packages.json file is invalid")
+       check inLines(lines, "404 not found")
+       check inLines(lines, "Package list downloaded.")
diff -Nru nim-1.4.2/debian/patches/series nim-1.4.6+really1.4.2/debian/patches/series
--- nim-1.4.2/debian/patches/series	2020-12-02 13:39:46.000000000 +0000
+++ nim-1.4.6+really1.4.2/debian/patches/series	2021-05-13 14:09:37.000000000 +0100
@@ -1,4 +1,5 @@
 #dont-build-remote-website.patch
+check-ssl-certs.patch
 fix-makefile-unsupported-arch.patch
 #fix-gnu-kfreebsd.patch
 #do-not-clone-nimble.patch
@@ -6,3 +7,6 @@
 #fix-broken-release
 fix-big-endian.patch
 #set-nimdoc-css-location.patch
+fix-nimble-rce-2021-21372.patch
+fix-nimble-urls-2021-21373.patch
+fix-nimble-cert-validation-2021-21374.patch

Reply to:

Follow-Ups:
- Bug#989225: marked as done (unblock: nim/1.4.6+really1.4.2-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: Bug#988686: pre-approval: spamassassin/3.4.6-1
Next by Date: Bug#989161: [pre-approval] unblock: cups/2.3.3op2-3+deb11u1
Previous by thread: Bug#989216: marked as done (unblock: python-ddt/1.4.1-2.1)
Next by thread: Bug#989225: marked as done (unblock: nim/1.4.6+really1.4.2-2)
Index(es):
- Date
- Thread