--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package nim to fix #987272
[ Reason ]
The package currently in Bullseye (1.4.2-1) is affected by:
CVE-2021-21372 CVE-2021-21373 CVE-2021-21374 CVE-2021-29495
[ Impact ]
The vulnerabilities would not be addressed
[ Tests ]
Run the default unit test suite and manual tests
[ Risks ]
Low. The security fixes has been backported from upstream
releases using small quilt patches.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
N/A
unblock nim/1.4.6+really1.4.2-2
diff -Nru nim-1.4.2/debian/changelog nim-1.4.6+really1.4.2/debian/changelog
--- nim-1.4.2/debian/changelog 2020-12-02 13:39:46.000000000 +0000
+++ nim-1.4.6+really1.4.2/debian/changelog 2021-05-13 14:09:37.000000000 +0100
@@ -1,3 +1,17 @@
+nim (1.4.6+really1.4.2-2) unstable; urgency=medium
+
+ * Rebuild
+
+ -- Federico Ceratto <federico@debian.org> Thu, 13 May 2021 14:09:37 +0100
+
+nim (1.4.6+really1.4.2-1) unstable; urgency=medium
+
+ * Upload 1.4.2 as 1.4.6+really1.4.2-1 (Closes: #987279)
+ * Security update for CVE-2021-21372 CVE-2021-21373
+ CVE-2021-21374 CVE-2021-29495 (Closes: #87272)
+
+ -- Federico Ceratto <federico@debian.org> Fri, 07 May 2021 21:42:48 +0100
+
nim (1.4.2-1) unstable; urgency=medium
* New upstream release
diff -Nru nim-1.4.2/debian/patches/check-ssl-certs.patch nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch
--- nim-1.4.2/debian/patches/check-ssl-certs.patch 1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch 2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,42 @@
+Subject: CVE-2021-29495 Check SSL certs by default; fix cert load error handling
+Origin: vendor
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-9vqv-2jj9-7mqr
+Forwarded: not-needed
+
+--- a/lib/pure/httpclient.nim
++++ b/lib/pure/httpclient.nim
+@@ -321,7 +321,7 @@
+ result = defaultSslContext
+ when defined(ssl):
+ if result == nil:
+- defaultSslContext = newContext(verifyMode = CVerifyNone)
++ defaultSslContext = newContext(verifyMode = CVerifyPeer)
+ result = defaultSslContext
+ doAssert result != nil, "failure to initialize the SSL context"
+
+--- a/lib/pure/net.nim
++++ b/lib/pure/net.nim
+@@ -626,11 +626,12 @@
+ discard newCTX.SSLCTXSetMode(SSL_MODE_AUTO_RETRY)
+ newCTX.loadCertificates(certFile, keyFile)
+
+- when not defined(nimDisableCertificateValidation) and not defined(windows):
++ const VerifySuccess = 1 # SSL_CTX_load_verify_locations returns 1 on success.
++ when not defined(nimDisableCertificateValidation):
+ if verifyMode != CVerifyNone:
+ # Use the caDir and caFile parameters if set
+ if caDir != "" or caFile != "":
+- if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != 0:
++ if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != VerifySuccess:
+ raise newException(IOError, "Failed to load SSL/TLS CA certificate(s).")
+
+ else:
+@@ -638,7 +639,7 @@
+ # the SSL_CERT_FILE and SSL_CERT_DIR env vars
+ var found = false
+ for fn in scanSSLCertificates():
+- if newCTX.SSL_CTX_load_verify_locations(fn, "") == 0:
++ if newCTX.SSL_CTX_load_verify_locations(fn, nil) == VerifySuccess:
+ found = true
+ break
+ if not found:
diff -Nru nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch
--- nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch 1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch 2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,68 @@
+Subject: Fix CVE-2021-21374 Nimble SSL certificate checking
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/packageinfo.nim
++++ b/dist/nimble/src/nimblepkg/packageinfo.nim
+@@ -4,6 +4,7 @@
+ # Stdlib imports
+ import system except TResult
+ import hashes, json, strutils, os, sets, tables, httpclient
++from net import SSLError
+
+ # Local imports
+ import version, tools, common, options, cli, config
+@@ -199,8 +200,12 @@
+ priority = LowPriority)
+
+ try:
+- let client = newHttpClient(proxy = proxy)
++ let ctx = newSSLContext()
++ let client = newHttpClient(proxy = proxy, sslContext = ctx)
+ client.downloadFile(url, tempPath)
++ except SslError:
++ let message = "Failed to verify the SSL certificate for " & url
++ raiseNimbleError(message, "")
+ except:
+ let message = "Could not download: " & getCurrentExceptionMsg()
+ display("Warning:", message, Warning)
+--- a/dist/nimble/src/nimblepkg/publish.nim
++++ b/dist/nimble/src/nimblepkg/publish.nim
+@@ -7,6 +7,7 @@
+ import system except TResult
+ import httpclient, strutils, json, os, browsers, times, uri
+ import version, tools, common, cli, config, options
++from net import SslCVerifyMode, newContext
+
+ type
+ Auth = object
+@@ -51,7 +52,8 @@
+
+ proc getGithubAuth(o: Options): Auth =
+ let cfg = o.config
+- result.http = newHttpClient(proxy = getProxy(o))
++ let ctx = newSSLContext()
++ result.http = newHttpClient(proxy = getProxy(o), sslContext = ctx)
+ # always prefer the environment variable to asking for a new one
+ if existsEnv(ApiTokenEnvironmentVariable):
+ result.token = getEnv(ApiTokenEnvironmentVariable)
+--- a/dist/nimble/src/nimblepkg/tools.nim
++++ b/dist/nimble/src/nimblepkg/tools.nim
+@@ -4,6 +4,7 @@
+ # Various miscellaneous utility functions reside here.
+ import osproc, pegs, strutils, os, uri, sets, json, parseutils
+ import version, cli, options
++from net import SslCVerifyMode, newContext, SslContext
+
+ proc extractBin(cmd: string): string =
+ if cmd[0] == '"':
+@@ -164,3 +165,7 @@
+ else:
+ tmpdir = getTempDir()
+ return tmpdir
++
++
++proc newSSLContext*(): SslContext =
++ return newContext(verifyMode = CVerifyPeer)
diff -Nru nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch
--- nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch 1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch 2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,29 @@
+Subject: Fix CVE-2021-21372 Nimble doCmd Remote Code Execution
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/download.nim
++++ b/dist/nimble/src/nimblepkg/download.nim
+@@ -88,7 +88,7 @@
+ result = @[]
+ case meth
+ of DownloadMethod.git:
+- var (output, exitCode) = doCmdEx("git ls-remote --tags " & url)
++ var (output, exitCode) = doCmdEx("git ls-remote --tags " & url.quoteShell())
+ if exitCode != QuitSuccess:
+ raise newException(OSError, "Unable to query remote tags for " & url &
+ ". Git returned: " & output)
+@@ -136,9 +136,9 @@
+
+ proc checkUrlType*(url: string): DownloadMethod =
+ ## Determines the download method based on the URL.
+- if doCmdEx("git ls-remote " & url).exitCode == QuitSuccess:
++ if doCmdEx("git ls-remote " & url.quoteShell()).exitCode == QuitSuccess:
+ return DownloadMethod.git
+- elif doCmdEx("hg identify " & url).exitCode == QuitSuccess:
++ elif doCmdEx("hg identify " & url.quoteShell()).exitCode == QuitSuccess:
+ return DownloadMethod.hg
+ else:
+ raise newException(NimbleError, "Unable to identify url: " & url)
diff -Nru nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch
--- nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch 1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch 2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,45 @@
+Subject: Fix CVE-2021-21373 Nimble should use HTTPS URLs
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/config.nim
++++ b/dist/nimble/src/nimblepkg/config.nim
+@@ -28,8 +28,8 @@
+ result.packageLists = initTable[string, PackageList]()
+ let defaultPkgList = PackageList(name: "Official", urls: @[
+ "https://github.com/nim-lang/packages/raw/master/packages.json",
+- "http://irclogs.nim-lang.org/packages.json",
+- "http://nim-lang.org/nimble/packages.json"
++ "https://irclogs.nim-lang.org/packages.json",
++ "https://nim-lang.org/nimble/packages.json"
+ ])
+ result.packageLists["official"] = defaultPkgList
+
+--- a/dist/nimble/tests/tester.nim
++++ b/dist/nimble/tests/tester.nim
+@@ -122,10 +122,10 @@
+ writeFile(configFile, """
+ [PackageList]
+ name = "official"
+- url = "http://google.com"
+- url = "http://google.com/404"
+- url = "http://irclogs.nim-lang.org/packages.json"
+- url = "http://nim-lang.org/nimble/packages.json"
++ url = "https://google.com"
++ url = "https://google.com/404"
++ url = "https://irclogs.nim-lang.org/packages.json"
++ url = "https://nim-lang.org/nimble/packages.json"
+ url = "https://github.com/nim-lang/packages/raw/master/packages.json"
+ """.unindent)
+
+@@ -135,7 +135,7 @@
+ check exitCode == QuitSuccess
+ check inLines(lines, "config file at")
+ check inLines(lines, "official package list")
+- check inLines(lines, "http://google.com")
++ check inLines(lines, "https://google.com")
+ check inLines(lines, "packages.json file is invalid")
+ check inLines(lines, "404 not found")
+ check inLines(lines, "Package list downloaded.")
diff -Nru nim-1.4.2/debian/patches/series nim-1.4.6+really1.4.2/debian/patches/series
--- nim-1.4.2/debian/patches/series 2020-12-02 13:39:46.000000000 +0000
+++ nim-1.4.6+really1.4.2/debian/patches/series 2021-05-13 14:09:37.000000000 +0100
@@ -1,4 +1,5 @@
#dont-build-remote-website.patch
+check-ssl-certs.patch
fix-makefile-unsupported-arch.patch
#fix-gnu-kfreebsd.patch
#do-not-clone-nimble.patch
@@ -6,3 +7,6 @@
#fix-broken-release
fix-big-endian.patch
#set-nimdoc-css-location.patch
+fix-nimble-rce-2021-21372.patch
+fix-nimble-urls-2021-21373.patch
+fix-nimble-cert-validation-2021-21374.patch
--- End Message ---