Bug#1023798: Update to fix also CVE-2022-37599

To: 1023798@bugs.debian.org
Subject: Bug#1023798: Update to fix also CVE-2022-37599
From: Yadd <yadd@debian.org>
Date: Mon, 14 Nov 2022 11:01:39 +0100
Message-id: <[🔎] 968e7a60-56cc-4cf6-6678-76909317a508@debian.org>
Reply-to: Yadd <yadd@debian.org>, 1023798@bugs.debian.org
References: <[🔎] 166807795249.3606856.17113754866194432422.reportbug@debian007.xnr.fr>

Hi,

here is another update to fix CVE-2022-37599 (trivial patch).

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 7d05292..5ba6d13 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2022-37601)
+  * Fix ReDos (Closes: CVE-2022-37599)
+
+ -- Yadd <yadd@debian.org>  Mon, 14 Nov 2022 10:58:58 +0100
+
 node-loader-utils (2.0.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-37599.patch b/debian/patches/CVE-2022-37599.patch
new file mode 100644
index 0000000..d094c30
--- /dev/null
+++ b/debian/patches/CVE-2022-37599.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Alexander Akait <4567934+alexander-akait@users.noreply.github.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d
+Bug: https://github.com/webpack/loader-utils/issues/211
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-11-14
+
+--- a/lib/interpolateName.js
++++ b/lib/interpolateName.js
+@@ -108,7 +108,7 @@
+       // `hash` and `contenthash` are same in `loader-utils` context
+       // let's keep `hash` for backward compatibility
+       .replace(
+-        /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
++        /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
+         (all, hashType, digestType, maxLength) =>
+           getHashDigest(content, hashType, digestType, parseInt(maxLength, 10))
+       )
diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch
new file mode 100644
index 0000000..12eaad6
--- /dev/null
+++ b/debian/patches/CVE-2022-37601.patch
@@ -0,0 +1,18 @@
+Description: fix prototype pollution
+Author: Mike Cebrian <michael.cebrian@gmail.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-11-10
+
+--- node-loader-utils-2.0.0.orig/lib/parseQuery.js
++++ node-loader-utils-2.0.0/lib/parseQuery.js
+@@ -26,7 +26,7 @@ function parseQuery(query) {
+   }
+ 
+   const queryArgs = query.split(/[,&]/g);
+-  const result = {};
++  const result = Object.create(null);
+ 
+   queryArgs.forEach((arg) => {
+     const idx = arg.indexOf('=');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..5566245
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2022-37601.patch
+CVE-2022-37599.patch

Reply to:

References:
- Bug#1023798: bullseye-pu: package node-loader-utils/2.0.0-1+deb11u1
  - From: Yadd <yadd@debian.org>

Prev by Date: Bug#1024055: marked as done (buster-pu: package mariadb-10.3 10.3.37-0+deb10u1)
Next by Date: Bug#1023798: Update to fix also CVE-2022-37599
Previous by thread: Bug#1023798: bullseye-pu: package node-loader-utils/2.0.0-1+deb11u1
Next by thread: Bug#1023798: Update to fix also CVE-2022-37599
Index(es):
- Date
- Thread