--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package node-log4js/6.3.0+~cs8.3.10-1+deb11u1
- From: Yadd <yadd@debian.org>
- Date: Fri, 08 Jul 2022 07:49:26 +0200
- Message-id: <165725936656.3829581.4501226621209934823.reportbug@debian007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-log4js creates log files with permissive rights (644). This causes
a security issue (CVE-2022-21704)
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace default mode from 0644 to 0600
Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 75dbfc2..00af70f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-log4js (6.3.0+~cs8.3.10-1+deb11u1) bullseye; urgency=medium
+
+ * Changed default file modes from 0o644 to 0o600 for better security
+ (Closes: CVE-2022-21704)
+
+ -- Yadd <yadd@debian.org> Fri, 08 Jul 2022 07:44:46 +0200
+
node-log4js (6.3.0+~cs8.3.10-1) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/patches/CVE-2022-21704.patch b/debian/patches/CVE-2022-21704.patch
new file mode 100644
index 0000000..76f1757
--- /dev/null
+++ b/debian/patches/CVE-2022-21704.patch
@@ -0,0 +1,177 @@
+Description: Changed default file modes from 0o644 to 0o600 for better security
+Author: peteriman <peteriman@mail.com>
+Origin: upstream, https://patch-diff.githubusercontent.com/raw/log4js-node/log4js-node/pull/1141
+ https://patch-diff.githubusercontent.com/raw/log4js-node/streamroller/pull/87
+Bug: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-07-08
+
+--- a/docs/dateFile.md
++++ b/docs/dateFile.md
+@@ -11,7 +11,7 @@
+
+ Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams):
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+ * `flags` - `string` (default 'a')
+ * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension)
+ * `alwaysIncludePattern` - `boolean` (default false) - include the pattern in the name of the current log file as well as the backups.
+--- a/docs/file.md
++++ b/docs/file.md
+@@ -12,7 +12,7 @@
+
+ Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams):
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+ * `flags` - `string` (default 'a')
+ * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension)
+ * `keepFileExt` - `boolean` (default false) - preserve the file extension when rotating log files (`file.log` becomes `file.1.log` instead of `file.log.1`)
+--- a/docs/fileSync.md
++++ b/docs/fileSync.md
+@@ -12,7 +12,7 @@
+
+ Any other configuration parameters will be passed to the underlying node.js core stream implementation:
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0644)
++* `mode`- `integer` (default 0600)
+ * `flags` - `string` (default 'a')
+
+ ## Example
+--- a/lib/appenders/dateFile.js
++++ b/lib/appenders/dateFile.js
+@@ -49,7 +49,6 @@
+
+ function configure(config, layouts) {
+ let layout = layouts.basicLayout;
+-
+ if (config.layout) {
+ layout = layouts.layout(config.layout.type, config.layout);
+ }
+@@ -58,6 +57,9 @@
+ config.alwaysIncludePattern = false;
+ }
+
++ // security default (instead of relying on streamroller default)
++ config.mode = config.mode || 0o600;
++
+ return appender(
+ config.filename,
+ config.pattern,
+--- a/lib/appenders/file.js
++++ b/lib/appenders/file.js
+@@ -94,6 +94,9 @@
+ layout = layouts.layout(config.layout.type, config.layout);
+ }
+
++ // security default (instead of relying on streamroller default)
++ config.mode = config.mode || 0o600;
++
+ return fileAppender(
+ config.filename,
+ layout,
+--- a/lib/appenders/fileSync.js
++++ b/lib/appenders/fileSync.js
+@@ -192,7 +192,7 @@
+ const options = {
+ flags: config.flags || 'a',
+ encoding: config.encoding || 'utf8',
+- mode: config.mode || 0o644
++ mode: config.mode || 0o600
+ };
+
+ return fileAppender(
+--- a/streamroller/README.md
++++ b/streamroller/README.md
+@@ -20,7 +20,7 @@
+ * `numBackups` - the number of old files to keep
+ * `options` - Object
+ * `encoding` - defaults to 'utf8'
+- * `mode` - defaults to 0644
++ * `mode` - defaults to 0600
+ * `flags` - defaults to 'a' (see [fs.open](https://nodejs.org/dist/latest-v8.x/docs/api/fs.html#fs_fs_open_path_flags_mode_callback) for more details)
+ * `compress` - (boolean) defaults to `false` - compress the backup files using gzip (files will have `.gz` extension).
+ * `keepFileExt` - (boolean) defaults to `false` - keep the file original extension. e.g.: `abc.log -> abc.1.log`.
+@@ -46,7 +46,7 @@
+ * `pattern` (String) - the date pattern to trigger rolling (see below)
+ * `options` - Object
+ * `encoding` - defaults to 'utf8'
+- * `mode` defaults to 0644
++ * `mode` defaults to 0600
+ * `flags` defaults to 'a' (see [fs.open](https://nodejs.org/dist/latest-v8.x/docs/api/fs.html#fs_fs_open_path_flags_mode_callback) for more details)
+ * `compress` - (boolean) compress the backup files, defaults to false
+ * `keepFileExt` - (boolean) defaults to `false` - keep the file original extension. e.g.: `abc.log -> abc.2013-08-30.log`.
+--- a/streamroller/lib/RollingFileWriteStream.js
++++ b/streamroller/lib/RollingFileWriteStream.js
+@@ -21,7 +21,7 @@
+ * @param {number} options.numToKeep - The max numbers of files to keep.
+ * @param {number} options.maxSize - The maxSize one file can reach. Unit is Byte.
+ * This should be more than 1024. The default is Number.MAX_SAFE_INTEGER.
+- * @param {string} options.mode - The mode of the files. The default is '0644'. Refer to stream.writable for more.
++ * @param {string} options.mode - The mode of the files. The default is '0600'. Refer to stream.writable for more.
+ * @param {string} options.flags - The default is 'a'. Refer to stream.flags for more.
+ * @param {boolean} options.compress - Whether to compress backup files.
+ * @param {boolean} options.keepFileExt - Whether to keep the file extension.
+@@ -92,7 +92,7 @@
+ maxSize: Number.MAX_SAFE_INTEGER,
+ numToKeep: Number.MAX_SAFE_INTEGER,
+ encoding: "utf8",
+- mode: parseInt("0644", 8),
++ mode: parseInt("0600", 8),
+ flags: "a",
+ compress: false,
+ keepFileExt: false,
+--- a/streamroller/test/DateRollingFileStream-test.js
++++ b/streamroller/test/DateRollingFileStream-test.js
+@@ -48,7 +48,7 @@
+ });
+
+ it("with default settings for the underlying stream", function() {
+- stream.currentFileStream.mode.should.eql(420);
++ stream.currentFileStream.mode.should.eql(0o600);
+ stream.currentFileStream.flags.should.eql("a");
+ });
+ });
+--- a/streamroller/test/RollingFileStream-test.js
++++ b/streamroller/test/RollingFileStream-test.js
+@@ -65,7 +65,7 @@
+ });
+
+ it("should apply default settings to the underlying stream", function() {
+- stream.theStream.mode.should.eql(420);
++ stream.theStream.mode.should.eql(0o600);
+ stream.theStream.flags.should.eql("a");
+ });
+ });
+--- a/streamroller/test/RollingFileWriteStream-test.js
++++ b/streamroller/test/RollingFileWriteStream-test.js
+@@ -99,14 +99,14 @@
+ it("should take a filename and options, return Writable", () => {
+ s.should.be.an.instanceOf(stream.Writable);
+ s.currentFileStream.path.should.eql(fileObj.path);
+- s.currentFileStream.mode.should.eql(420);
++ s.currentFileStream.mode.should.eql(0o600);
+ s.currentFileStream.flags.should.eql("a");
+ });
+
+ it("should apply default options", () => {
+ s.options.maxSize.should.eql(Number.MAX_SAFE_INTEGER);
+ s.options.encoding.should.eql("utf8");
+- s.options.mode.should.eql(420);
++ s.options.mode.should.eql(0o600);
+ s.options.flags.should.eql("a");
+ s.options.compress.should.eql(false);
+ s.options.keepFileExt.should.eql(false);
+--- a/types/log4js.d.ts
++++ b/types/log4js.d.ts
+@@ -174,7 +174,7 @@
+ pattern?: string;
+ // default “utf-8”
+ encoding?: string;
+- // default 0644
++ // default 0600
+ mode?: number;
+ // default ‘a’
+ flags?: string;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9649c1e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-21704.patch
--- End Message ---