[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1010211: marked as done (bullseye-pu: package grunt/1.3.0-1+deb11u1)

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1010211,
regarding bullseye-pu: package grunt/1.3.0-1+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1010211: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010211
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
grunt is vulnerable to path traversal

[ Impact ]
Medium security issue

[ Tests ]
Test passed, including new test

[ Risks ]
low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Copy files and directories instead of symbolic links

[ Other info ]
Upstream patch applied without any change

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index a28861f..23c3145 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix path traversal (Closes: #1009676, CVE-2022-0436)
+
+ -- Yadd <yadd@debian.org>  Tue, 26 Apr 2022 16:38:52 +0200
+
 grunt (1.3.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0436.patch b/debian/patches/CVE-2022-0436.patch
new file mode 100644
index 0000000..e10a16d
--- /dev/null
+++ b/debian/patches/CVE-2022-0436.patch
@@ -0,0 +1,81 @@
+Description: Handles symlinks by coping them as files or directories
+ This fixes "Path Traversal in GitHub repository gruntjs/grunt"
+Author: Vlad Filippov <vlad.filippov@gmail.com>
+Origin: upstream, https://github.com/gruntjs/grunt/commit/aad3d452
+Bug: https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b
+Bug-Debian: https://bugs.debian.org/1009676
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-04-26
+
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -292,8 +292,11 @@
+ // Read a file, optionally processing its content, then write the output.
+ // Or read a directory, recursively creating directories, reading files,
+ // processing content, writing output.
++// Handles symlinks by coping them as files or directories.
+ file.copy = function copy(srcpath, destpath, options) {
+-  if (file.isDir(srcpath)) {
++  if (file._isSymbolicLink(srcpath)) {
++    file._copySymbolicLink(srcpath, destpath);
++  } else if (file.isDir(srcpath)) {
+     // Copy a directory, recursively.
+     // Explicitly create new dest directory.
+     file.mkdir(destpath);
+@@ -449,6 +452,24 @@
+   }
+ };
+ 
++file._isSymbolicLink = function() {
++  var filepath = path.join.apply(path, arguments);
++  return fs.lstatSync(filepath).isSymbolicLink();
++};
++
++file._copySymbolicLink = function(srcpath, destpath) {
++  var destdir = path.join(destpath, '..');
++  var fileBase = path.basename(srcpath);
++  // Use the correct relative path for the symlink
++  if (!grunt.file.isPathAbsolute(srcpath)) {
++    srcpath = path.relative(destdir, srcpath) || '.';
++  }
++  file.mkdir(destdir);
++  var mode = grunt.file.isDir(srcpath) ? 'dir' : 'file';
++  var destpath = path.join(destpath, fileBase);
++  return fs.symlinkSync(srcpath, destpath, mode);
++};
++
+ // Test to see if a filepath is contained within the CWD.
+ file.isPathInCwd = function() {
+   var filepath = path.join.apply(path, arguments);
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -893,5 +893,28 @@
+       test.ok(grunt.file.isPathInCwd(path.resolve('deep')), 'subdirectory is in cwd');
+       test.done();
+     },
++    'symbolicLinkCopy': function(test) {
++      test.expect(4);
++      var srcfile = new Tempdir();
++      fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(srcfile.path, 'octocat.png'), 'file');
++      // test symlink copy for files
++      var destdir = new Tempdir();
++      grunt.file.copy(path.join(srcfile.path, 'octocat.png'), destdir.path);
++      test.ok(fs.lstatSync(path.join(srcfile.path, 'octocat.png')).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, 'octocat.png')).isSymbolicLink());
++
++      // test symlink copy for directories
++      var srcdir = new Tempdir();
++      var destdir = new Tempdir();
++      var fixtures = path.resolve('test/fixtures');
++      var symlinkSource = path.join(srcdir.path, path.basename(fixtures));
++      console.log('symlinkSource', symlinkSource);
++      fs.symlinkSync(fixtures, symlinkSource, 'dir');
++
++      grunt.file.copy(symlinkSource, destdir.path);
++      test.ok(fs.lstatSync(symlinkSource).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink());
++      test.done();
++    },
+   }
+ };
diff --git a/debian/patches/series b/debian/patches/series
index b8abb97..24fd9f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 add-root-variable.patch
 fix-for-coffescript.diff
 adapt-gruntfile.patch
+CVE-2022-0436.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam

--- End Message ---
Reply to: