Bug#1010211: bullseye-pu: package grunt/1.3.0-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1010211: bullseye-pu: package grunt/1.3.0-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Tue, 26 Apr 2022 16:42:12 +0200
Message-id: <[🔎] 165098413262.1186888.8664409877513369939.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1010211@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
grunt is vulnerable to path traversal

[ Impact ]
Medium security issue

[ Tests ]
Test passed, including new test

[ Risks ]
low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Copy files and directories instead of symbolic links

[ Other info ]
Upstream patch applied without any change

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index a28861f..23c3145 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix path traversal (Closes: #1009676, CVE-2022-0436)
+
+ -- Yadd <yadd@debian.org>  Tue, 26 Apr 2022 16:38:52 +0200
+
 grunt (1.3.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0436.patch b/debian/patches/CVE-2022-0436.patch
new file mode 100644
index 0000000..e10a16d
--- /dev/null
+++ b/debian/patches/CVE-2022-0436.patch
@@ -0,0 +1,81 @@
+Description: Handles symlinks by coping them as files or directories
+ This fixes "Path Traversal in GitHub repository gruntjs/grunt"
+Author: Vlad Filippov <vlad.filippov@gmail.com>
+Origin: upstream, https://github.com/gruntjs/grunt/commit/aad3d452
+Bug: https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b
+Bug-Debian: https://bugs.debian.org/1009676
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-04-26
+
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -292,8 +292,11 @@
+ // Read a file, optionally processing its content, then write the output.
+ // Or read a directory, recursively creating directories, reading files,
+ // processing content, writing output.
++// Handles symlinks by coping them as files or directories.
+ file.copy = function copy(srcpath, destpath, options) {
+-  if (file.isDir(srcpath)) {
++  if (file._isSymbolicLink(srcpath)) {
++    file._copySymbolicLink(srcpath, destpath);
++  } else if (file.isDir(srcpath)) {
+     // Copy a directory, recursively.
+     // Explicitly create new dest directory.
+     file.mkdir(destpath);
+@@ -449,6 +452,24 @@
+   }
+ };
+ 
++file._isSymbolicLink = function() {
++  var filepath = path.join.apply(path, arguments);
++  return fs.lstatSync(filepath).isSymbolicLink();
++};
++
++file._copySymbolicLink = function(srcpath, destpath) {
++  var destdir = path.join(destpath, '..');
++  var fileBase = path.basename(srcpath);
++  // Use the correct relative path for the symlink
++  if (!grunt.file.isPathAbsolute(srcpath)) {
++    srcpath = path.relative(destdir, srcpath) || '.';
++  }
++  file.mkdir(destdir);
++  var mode = grunt.file.isDir(srcpath) ? 'dir' : 'file';
++  var destpath = path.join(destpath, fileBase);
++  return fs.symlinkSync(srcpath, destpath, mode);
++};
++
+ // Test to see if a filepath is contained within the CWD.
+ file.isPathInCwd = function() {
+   var filepath = path.join.apply(path, arguments);
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -893,5 +893,28 @@
+       test.ok(grunt.file.isPathInCwd(path.resolve('deep')), 'subdirectory is in cwd');
+       test.done();
+     },
++    'symbolicLinkCopy': function(test) {
++      test.expect(4);
++      var srcfile = new Tempdir();
++      fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(srcfile.path, 'octocat.png'), 'file');
++      // test symlink copy for files
++      var destdir = new Tempdir();
++      grunt.file.copy(path.join(srcfile.path, 'octocat.png'), destdir.path);
++      test.ok(fs.lstatSync(path.join(srcfile.path, 'octocat.png')).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, 'octocat.png')).isSymbolicLink());
++
++      // test symlink copy for directories
++      var srcdir = new Tempdir();
++      var destdir = new Tempdir();
++      var fixtures = path.resolve('test/fixtures');
++      var symlinkSource = path.join(srcdir.path, path.basename(fixtures));
++      console.log('symlinkSource', symlinkSource);
++      fs.symlinkSync(fixtures, symlinkSource, 'dir');
++
++      grunt.file.copy(symlinkSource, destdir.path);
++      test.ok(fs.lstatSync(symlinkSource).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink());
++      test.done();
++    },
+   }
+ };
diff --git a/debian/patches/series b/debian/patches/series
index b8abb97..24fd9f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 add-root-variable.patch
 fix-for-coffescript.diff
 adapt-gruntfile.patch
+CVE-2022-0436.patch

Reply to:

Prev by Date: Processed: retitle 1009726 to bullseye-pu: package samba/2:4.13.13+dfsg-1~deb11u4
Next by Date: Bug#1009726: broken build of samba_4.13.13+dfsg-1~deb11u3 on i386
Previous by thread: Processed: retitle 1009726 to bullseye-pu: package samba/2:4.13.13+dfsg-1~deb11u4
Next by thread: Bug#1010290: nmu: libtsm_4.0.2-0.1
Index(es):
- Date
- Thread