[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989225: marked as done (unblock: nim/1.4.6+really1.4.2-2)

Your message dated Sat, 29 May 2021 21:19:59 +0000
with message-id <E1ln6ND-0008FR-36@respighi.debian.org>
and subject line unblock nim
has caused the Debian Bug report #989225,
regarding unblock: nim/1.4.6+really1.4.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989225: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989225
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nim to fix #987272

[ Reason ]
The package currently in Bullseye (1.4.2-1) is affected by:
CVE-2021-21372 CVE-2021-21373 CVE-2021-21374 CVE-2021-29495

[ Impact ]
The vulnerabilities would not be addressed

[ Tests ]
Run the default unit test suite and manual tests

[ Risks ]
Low. The security fixes has been backported from upstream
releases using small quilt patches.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
N/A

unblock nim/1.4.6+really1.4.2-2

diff -Nru nim-1.4.2/debian/changelog nim-1.4.6+really1.4.2/debian/changelog
--- nim-1.4.2/debian/changelog	2020-12-02 13:39:46.000000000 +0000
+++ nim-1.4.6+really1.4.2/debian/changelog	2021-05-13 14:09:37.000000000 +0100
@@ -1,3 +1,17 @@
+nim (1.4.6+really1.4.2-2) unstable; urgency=medium
+
+  * Rebuild
+
+ -- Federico Ceratto <federico@debian.org>  Thu, 13 May 2021 14:09:37 +0100
+
+nim (1.4.6+really1.4.2-1) unstable; urgency=medium
+
+  * Upload 1.4.2 as 1.4.6+really1.4.2-1 (Closes: #987279)
+  * Security update for CVE-2021-21372 CVE-2021-21373
+    CVE-2021-21374 CVE-2021-29495 (Closes: #87272)
+
+ -- Federico Ceratto <federico@debian.org>  Fri, 07 May 2021 21:42:48 +0100
+
 nim (1.4.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru nim-1.4.2/debian/patches/check-ssl-certs.patch nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch
--- nim-1.4.2/debian/patches/check-ssl-certs.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,42 @@
+Subject: CVE-2021-29495 Check SSL certs by default; fix cert load error handling
+Origin: vendor
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-9vqv-2jj9-7mqr
+Forwarded: not-needed
+
+--- a/lib/pure/httpclient.nim
++++ b/lib/pure/httpclient.nim
+@@ -321,7 +321,7 @@
+   result = defaultSslContext
+   when defined(ssl):
+     if result == nil:
+-      defaultSslContext = newContext(verifyMode = CVerifyNone)
++      defaultSslContext = newContext(verifyMode = CVerifyPeer)
+       result = defaultSslContext
+       doAssert result != nil, "failure to initialize the SSL context"
+ 
+--- a/lib/pure/net.nim
++++ b/lib/pure/net.nim
+@@ -626,11 +626,12 @@
+     discard newCTX.SSLCTXSetMode(SSL_MODE_AUTO_RETRY)
+     newCTX.loadCertificates(certFile, keyFile)
+ 
+-    when not defined(nimDisableCertificateValidation) and not defined(windows):
++    const VerifySuccess = 1 # SSL_CTX_load_verify_locations returns 1 on success.
++    when not defined(nimDisableCertificateValidation):
+       if verifyMode != CVerifyNone:
+         # Use the caDir and caFile parameters if set
+         if caDir != "" or caFile != "":
+-          if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != 0:
++          if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != VerifySuccess:
+             raise newException(IOError, "Failed to load SSL/TLS CA certificate(s).")
+ 
+         else:
+@@ -638,7 +639,7 @@
+           # the SSL_CERT_FILE and SSL_CERT_DIR env vars
+           var found = false
+           for fn in scanSSLCertificates():
+-            if newCTX.SSL_CTX_load_verify_locations(fn, "") == 0:
++            if newCTX.SSL_CTX_load_verify_locations(fn, nil) == VerifySuccess:
+               found = true
+               break
+           if not found:
diff -Nru nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch
--- nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,68 @@
+Subject: Fix CVE-2021-21374 Nimble SSL certificate checking
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/packageinfo.nim
++++ b/dist/nimble/src/nimblepkg/packageinfo.nim
+@@ -4,6 +4,7 @@
+ # Stdlib imports
+ import system except TResult
+ import hashes, json, strutils, os, sets, tables, httpclient
++from net import SSLError
+ 
+ # Local imports
+ import version, tools, common, options, cli, config
+@@ -199,8 +200,12 @@
+                 priority = LowPriority)
+ 
+       try:
+-        let client = newHttpClient(proxy = proxy)
++        let ctx = newSSLContext()
++        let client = newHttpClient(proxy = proxy, sslContext = ctx)
+         client.downloadFile(url, tempPath)
++      except SslError:
++        let message = "Failed to verify the SSL certificate for " & url
++        raiseNimbleError(message, "")
+       except:
+         let message = "Could not download: " & getCurrentExceptionMsg()
+         display("Warning:", message, Warning)
+--- a/dist/nimble/src/nimblepkg/publish.nim
++++ b/dist/nimble/src/nimblepkg/publish.nim
+@@ -7,6 +7,7 @@
+ import system except TResult
+ import httpclient, strutils, json, os, browsers, times, uri
+ import version, tools, common, cli, config, options
++from net import SslCVerifyMode, newContext
+ 
+ type
+   Auth = object
+@@ -51,7 +52,8 @@
+ 
+ proc getGithubAuth(o: Options): Auth =
+   let cfg = o.config
+-  result.http = newHttpClient(proxy = getProxy(o))
++  let ctx = newSSLContext()
++  result.http = newHttpClient(proxy = getProxy(o), sslContext = ctx)
+   # always prefer the environment variable to asking for a new one
+   if existsEnv(ApiTokenEnvironmentVariable):
+     result.token = getEnv(ApiTokenEnvironmentVariable)
+--- a/dist/nimble/src/nimblepkg/tools.nim
++++ b/dist/nimble/src/nimblepkg/tools.nim
+@@ -4,6 +4,7 @@
+ # Various miscellaneous utility functions reside here.
+ import osproc, pegs, strutils, os, uri, sets, json, parseutils
+ import version, cli, options
++from net import SslCVerifyMode, newContext, SslContext
+ 
+ proc extractBin(cmd: string): string =
+   if cmd[0] == '"':
+@@ -164,3 +165,7 @@
+   else:
+     tmpdir = getTempDir()
+   return tmpdir
++
++
++proc newSSLContext*(): SslContext =
++  return newContext(verifyMode = CVerifyPeer)
diff -Nru nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch
--- nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,29 @@
+Subject: Fix CVE-2021-21372 Nimble doCmd Remote Code Execution
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/download.nim
++++ b/dist/nimble/src/nimblepkg/download.nim
+@@ -88,7 +88,7 @@
+   result = @[]
+   case meth
+   of DownloadMethod.git:
+-    var (output, exitCode) = doCmdEx("git ls-remote --tags " & url)
++    var (output, exitCode) = doCmdEx("git ls-remote --tags " & url.quoteShell())
+     if exitCode != QuitSuccess:
+       raise newException(OSError, "Unable to query remote tags for " & url &
+           ". Git returned: " & output)
+@@ -136,9 +136,9 @@
+ 
+ proc checkUrlType*(url: string): DownloadMethod =
+   ## Determines the download method based on the URL.
+-  if doCmdEx("git ls-remote " & url).exitCode == QuitSuccess:
++  if doCmdEx("git ls-remote " & url.quoteShell()).exitCode == QuitSuccess:
+     return DownloadMethod.git
+-  elif doCmdEx("hg identify " & url).exitCode == QuitSuccess:
++  elif doCmdEx("hg identify " & url.quoteShell()).exitCode == QuitSuccess:
+     return DownloadMethod.hg
+   else:
+     raise newException(NimbleError, "Unable to identify url: " & url)
diff -Nru nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch
--- nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch	1970-01-01 01:00:00.000000000 +0100
+++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch	2021-05-13 14:09:37.000000000 +0100
@@ -0,0 +1,45 @@
+Subject: Fix CVE-2021-21373 Nimble should use HTTPS URLs
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272
+Bug: https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8
+Forwarded: not-needed
+
+--- a/dist/nimble/src/nimblepkg/config.nim
++++ b/dist/nimble/src/nimblepkg/config.nim
+@@ -28,8 +28,8 @@
+   result.packageLists = initTable[string, PackageList]()
+   let defaultPkgList = PackageList(name: "Official", urls: @[
+     "https://github.com/nim-lang/packages/raw/master/packages.json";,
+-    "http://irclogs.nim-lang.org/packages.json";,
+-    "http://nim-lang.org/nimble/packages.json";
++    "https://irclogs.nim-lang.org/packages.json";,
++    "https://nim-lang.org/nimble/packages.json";
+   ])
+   result.packageLists["official"] = defaultPkgList
+ 
+--- a/dist/nimble/tests/tester.nim
++++ b/dist/nimble/tests/tester.nim
+@@ -122,10 +122,10 @@
+       writeFile(configFile, """
+         [PackageList]
+         name = "official"
+-        url = "http://google.com";
+-        url = "http://google.com/404";
+-        url = "http://irclogs.nim-lang.org/packages.json";
+-        url = "http://nim-lang.org/nimble/packages.json";
++        url = "https://google.com";
++        url = "https://google.com/404";
++        url = "https://irclogs.nim-lang.org/packages.json";
++        url = "https://nim-lang.org/nimble/packages.json";
+         url = "https://github.com/nim-lang/packages/raw/master/packages.json";
+       """.unindent)
+ 
+@@ -135,7 +135,7 @@
+       check exitCode == QuitSuccess
+       check inLines(lines, "config file at")
+       check inLines(lines, "official package list")
+-      check inLines(lines, "http://google.com";)
++      check inLines(lines, "https://google.com";)
+       check inLines(lines, "packages.json file is invalid")
+       check inLines(lines, "404 not found")
+       check inLines(lines, "Package list downloaded.")
diff -Nru nim-1.4.2/debian/patches/series nim-1.4.6+really1.4.2/debian/patches/series
--- nim-1.4.2/debian/patches/series	2020-12-02 13:39:46.000000000 +0000
+++ nim-1.4.6+really1.4.2/debian/patches/series	2021-05-13 14:09:37.000000000 +0100
@@ -1,4 +1,5 @@
 #dont-build-remote-website.patch
+check-ssl-certs.patch
 fix-makefile-unsupported-arch.patch
 #fix-gnu-kfreebsd.patch
 #do-not-clone-nimble.patch
@@ -6,3 +7,6 @@
 #fix-broken-release
 fix-big-endian.patch
 #set-nimdoc-css-location.patch
+fix-nimble-rce-2021-21372.patch
+fix-nimble-urls-2021-21373.patch
+fix-nimble-cert-validation-2021-21374.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: