Bug#1023798: Update to fix also CVE-2022-37599
On 14/11/2022 11:01, Yadd wrote:
Hi,
here is another update to fix CVE-2022-37599 (trivial patch).
Cheers,
Yadd
This fix also CVE-2022-37603 (duplicate of CVE-2022-37599)
diff --git a/debian/changelog b/debian/changelog
index 7d05292..aace5b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2022-37601)
+ * Fix ReDos (Closes: CVE-2022-37599, CVE-2022-37603)
+
+ -- Yadd <yadd@debian.org> Mon, 14 Nov 2022 10:58:58 +0100
+
node-loader-utils (2.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-37599.patch b/debian/patches/CVE-2022-37599.patch
new file mode 100644
index 0000000..d094c30
--- /dev/null
+++ b/debian/patches/CVE-2022-37599.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Alexander Akait <4567934+alexander-akait@users.noreply.github.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d
+Bug: https://github.com/webpack/loader-utils/issues/211
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-11-14
+
+--- a/lib/interpolateName.js
++++ b/lib/interpolateName.js
+@@ -108,7 +108,7 @@
+ // `hash` and `contenthash` are same in `loader-utils` context
+ // let's keep `hash` for backward compatibility
+ .replace(
+- /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
++ /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
+ (all, hashType, digestType, maxLength) =>
+ getHashDigest(content, hashType, digestType, parseInt(maxLength, 10))
+ )
diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch
new file mode 100644
index 0000000..12eaad6
--- /dev/null
+++ b/debian/patches/CVE-2022-37601.patch
@@ -0,0 +1,18 @@
+Description: fix prototype pollution
+Author: Mike Cebrian <michael.cebrian@gmail.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-11-10
+
+--- node-loader-utils-2.0.0.orig/lib/parseQuery.js
++++ node-loader-utils-2.0.0/lib/parseQuery.js
+@@ -26,7 +26,7 @@ function parseQuery(query) {
+ }
+
+ const queryArgs = query.split(/[,&]/g);
+- const result = {};
++ const result = Object.create(null);
+
+ queryArgs.forEach((arg) => {
+ const idx = arg.indexOf('=');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..5566245
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2022-37601.patch
+CVE-2022-37599.patch
Reply to: