Bug#1014571: bullseye-pu: package node-log4js/6.3.0+~cs8.3.10-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1014571: bullseye-pu: package node-log4js/6.3.0+~cs8.3.10-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Fri, 08 Jul 2022 07:49:26 +0200
Message-id: <[🔎] 165725936656.3829581.4501226621209934823.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1014571@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-log4js creates log files with permissive rights (644). This causes
a security issue (CVE-2022-21704)

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace default mode from 0644 to 0600

Regards,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 75dbfc2..00af70f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-log4js (6.3.0+~cs8.3.10-1+deb11u1) bullseye; urgency=medium
+
+  * Changed default file modes from 0o644 to 0o600 for better security
+    (Closes: CVE-2022-21704)
+
+ -- Yadd <yadd@debian.org>  Fri, 08 Jul 2022 07:44:46 +0200
+
 node-log4js (6.3.0+~cs8.3.10-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/patches/CVE-2022-21704.patch b/debian/patches/CVE-2022-21704.patch
new file mode 100644
index 0000000..76f1757
--- /dev/null
+++ b/debian/patches/CVE-2022-21704.patch
@@ -0,0 +1,177 @@
+Description: Changed default file modes from 0o644 to 0o600 for better security
+Author: peteriman <peteriman@mail.com>
+Origin: upstream, https://patch-diff.githubusercontent.com/raw/log4js-node/log4js-node/pull/1141
+ https://patch-diff.githubusercontent.com/raw/log4js-node/streamroller/pull/87
+Bug: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-07-08
+
+--- a/docs/dateFile.md
++++ b/docs/dateFile.md
+@@ -11,7 +11,7 @@
+ 
+ Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams):
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+ * `flags` - `string` (default 'a')
+ * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension)
+ * `alwaysIncludePattern` - `boolean` (default false) - include the pattern in the name of the current log file as well as the backups.
+--- a/docs/file.md
++++ b/docs/file.md
+@@ -12,7 +12,7 @@
+ 
+ Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams):
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+ * `flags` - `string` (default 'a')
+ * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension)
+ * `keepFileExt` - `boolean` (default false) - preserve the file extension when rotating log files (`file.log` becomes `file.1.log` instead of `file.log.1`)
+--- a/docs/fileSync.md
++++ b/docs/fileSync.md
+@@ -12,7 +12,7 @@
+ 
+ Any other configuration parameters will be passed to the underlying node.js core stream implementation:
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0644)
++* `mode`- `integer` (default 0600)
+ * `flags` - `string` (default 'a')
+ 
+ ## Example
+--- a/lib/appenders/dateFile.js
++++ b/lib/appenders/dateFile.js
+@@ -49,7 +49,6 @@
+ 
+ function configure(config, layouts) {
+   let layout = layouts.basicLayout;
+-
+   if (config.layout) {
+     layout = layouts.layout(config.layout.type, config.layout);
+   }
+@@ -58,6 +57,9 @@
+     config.alwaysIncludePattern = false;
+   }
+ 
++  // security default (instead of relying on streamroller default)
++  config.mode = config.mode || 0o600;
++
+   return appender(
+     config.filename,
+     config.pattern,
+--- a/lib/appenders/file.js
++++ b/lib/appenders/file.js
+@@ -94,6 +94,9 @@
+     layout = layouts.layout(config.layout.type, config.layout);
+   }
+ 
++  // security default (instead of relying on streamroller default)
++  config.mode = config.mode || 0o600;
++
+   return fileAppender(
+     config.filename,
+     layout,
+--- a/lib/appenders/fileSync.js
++++ b/lib/appenders/fileSync.js
+@@ -192,7 +192,7 @@
+   const options = {
+     flags: config.flags || 'a',
+     encoding: config.encoding || 'utf8',
+-    mode: config.mode || 0o644
++    mode: config.mode || 0o600
+   };
+ 
+   return fileAppender(
+--- a/streamroller/README.md
++++ b/streamroller/README.md
+@@ -20,7 +20,7 @@
+ * `numBackups` - the number of old files to keep
+ * `options` - Object
+   * `encoding` - defaults to 'utf8'
+-  * `mode` - defaults to 0644
++  * `mode` - defaults to 0600
+   * `flags` - defaults to 'a' (see [fs.open](https://nodejs.org/dist/latest-v8.x/docs/api/fs.html#fs_fs_open_path_flags_mode_callback) for more details)
+   * `compress` - (boolean) defaults to `false` - compress the backup files using gzip (files will have `.gz` extension).
+   * `keepFileExt` - (boolean) defaults to `false` - keep the file original extension. e.g.: `abc.log -> abc.1.log`.
+@@ -46,7 +46,7 @@
+ * `pattern` (String) - the date pattern to trigger rolling (see below)
+ * `options` - Object
+ 	* `encoding` - defaults to 'utf8'
+-	* `mode` defaults to 0644
++	* `mode` defaults to 0600
+ 	* `flags` defaults to 'a' (see [fs.open](https://nodejs.org/dist/latest-v8.x/docs/api/fs.html#fs_fs_open_path_flags_mode_callback) for more details)
+     * `compress` - (boolean) compress the backup files, defaults to false
+     * `keepFileExt` - (boolean) defaults to `false` - keep the file original extension. e.g.: `abc.log -> abc.2013-08-30.log`.
+--- a/streamroller/lib/RollingFileWriteStream.js
++++ b/streamroller/lib/RollingFileWriteStream.js
+@@ -21,7 +21,7 @@
+    * @param {number} options.numToKeep - The max numbers of files to keep.
+    * @param {number} options.maxSize - The maxSize one file can reach. Unit is Byte.
+    *                                   This should be more than 1024. The default is Number.MAX_SAFE_INTEGER.
+-   * @param {string} options.mode - The mode of the files. The default is '0644'. Refer to stream.writable for more.
++   * @param {string} options.mode - The mode of the files. The default is '0600'. Refer to stream.writable for more.
+    * @param {string} options.flags - The default is 'a'. Refer to stream.flags for more.
+    * @param {boolean} options.compress - Whether to compress backup files.
+    * @param {boolean} options.keepFileExt - Whether to keep the file extension.
+@@ -92,7 +92,7 @@
+       maxSize: Number.MAX_SAFE_INTEGER,
+       numToKeep: Number.MAX_SAFE_INTEGER,
+       encoding: "utf8",
+-      mode: parseInt("0644", 8),
++      mode: parseInt("0600", 8),
+       flags: "a",
+       compress: false,
+       keepFileExt: false,
+--- a/streamroller/test/DateRollingFileStream-test.js
++++ b/streamroller/test/DateRollingFileStream-test.js
+@@ -48,7 +48,7 @@
+     });
+ 
+     it("with default settings for the underlying stream", function() {
+-      stream.currentFileStream.mode.should.eql(420);
++      stream.currentFileStream.mode.should.eql(0o600);
+       stream.currentFileStream.flags.should.eql("a");
+     });
+   });
+--- a/streamroller/test/RollingFileStream-test.js
++++ b/streamroller/test/RollingFileStream-test.js
+@@ -65,7 +65,7 @@
+     });
+ 
+     it("should apply default settings to the underlying stream", function() {
+-      stream.theStream.mode.should.eql(420);
++      stream.theStream.mode.should.eql(0o600);
+       stream.theStream.flags.should.eql("a");
+     });
+   });
+--- a/streamroller/test/RollingFileWriteStream-test.js
++++ b/streamroller/test/RollingFileWriteStream-test.js
+@@ -99,14 +99,14 @@
+     it("should take a filename and options, return Writable", () => {
+       s.should.be.an.instanceOf(stream.Writable);
+       s.currentFileStream.path.should.eql(fileObj.path);
+-      s.currentFileStream.mode.should.eql(420);
++      s.currentFileStream.mode.should.eql(0o600);
+       s.currentFileStream.flags.should.eql("a");
+     });
+ 
+     it("should apply default options", () => {
+       s.options.maxSize.should.eql(Number.MAX_SAFE_INTEGER);
+       s.options.encoding.should.eql("utf8");
+-      s.options.mode.should.eql(420);
++      s.options.mode.should.eql(0o600);
+       s.options.flags.should.eql("a");
+       s.options.compress.should.eql(false);
+       s.options.keepFileExt.should.eql(false);
+--- a/types/log4js.d.ts
++++ b/types/log4js.d.ts
+@@ -174,7 +174,7 @@
+   pattern?: string;
+   // default “utf-8”
+   encoding?: string;
+-  // default 0644
++  // default 0600
+   mode?: number;
+   // default ‘a’
+   flags?: string;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9649c1e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-21704.patch

Reply to:

Prev by Date: Bug#1014569: transition: flatbuffers
Next by Date: Bug#1014569: marked as done (transition: flatbuffers)
Previous by thread: Bug#1014569: marked as done (transition: flatbuffers)
Next by thread: Bug#1001639: marked as done (RM: python-hbmqtt -- RoQA; broken; low popcon; unmaintained)
Index(es):
- Date
- Thread