Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 5/28/23 10:29, Graham Inggs wrote:
tags -1 + moreinfo
Hi Yadd
On Wed, 3 May 2023 at 04:51, Yadd <yadd@debian.org> wrote:
here is the current debdiff (without the big removal of useless
discoveryjs-json-ext/benchmarks)
I removed the moreinfo tag before realizing this is exactly the same
as the first debdiff.
You seem to have missed this comment:
On Wed, 15 Mar 2023 at 22:15, Paul Gevers <elbrus@debian.org> wrote:
This doesn't look like a targeted fix, but rather seems to include much
more.
How about reverting and providing a fix only for that CVE please?
Hi,
instead of reverting and have a too long version
(5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload
to bookworm is allowed, I'm able to push this debdiff.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd <yadd@debian.org> Mon, 29 May 2023 07:53:16 +0400
+
node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index 00000000..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works <jackworks@protonmail.com>
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
++++ b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+ if (importOptions.webpackInclude !== undefined) {
+ if (
+ !importOptions.webpackInclude ||
+- importOptions.webpackInclude.constructor.name !== "RegExp"
++ !(importOptions.webpackInclude instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+ )
+ );
+ } else {
+- include = new RegExp(importOptions.webpackInclude);
++ include = importOptions.webpackInclude;
+ }
+ }
+ if (importOptions.webpackExclude !== undefined) {
+ if (
+ !importOptions.webpackExclude ||
+- importOptions.webpackExclude.constructor.name !== "RegExp"
++ !(importOptions.webpackExclude instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+ )
+ );
+ } else {
+- exclude = new RegExp(importOptions.webpackExclude);
++ exclude = importOptions.webpackExclude;
+ }
+ }
+ if (importOptions.webpackExports !== undefined) {
+--- a/lib/javascript/JavascriptParser.js
++++ b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+ return EMPTY_COMMENT_OPTIONS;
+ }
+ let options = {};
++ /** @type {unknown[]} */
+ let errors = [];
+ for (const comment of comments) {
+ const { value } = comment;
+ if (value && webpackCommentRegExp.test(value)) {
+ // try compile only if webpack options comment is present
+ try {
+- const val = vm.runInNewContext(`(function(){return {${value}};})()`);
+- Object.assign(options, val);
++ for (let [key, val] of Object.entries(
++ vm.runInNewContext(`(function(){return {${value}};})()`)
++ )) {
++ if (typeof val === "object" && val !== null) {
++ if (val.constructor.name === "RegExp") val = new RegExp(val);
++ else val = JSON.parse(JSON.stringify(val));
++ }
++ options[key] = val;
++ }
+ } catch (e) {
+- e.comment = comment;
+- errors.push(e);
++ const newErr = new Error(String(e.message));
++ newErr.stack = String(e.stack);
++ Object.assign(newErr, { comment });
++ errors.push(newErr);
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 16f26f45..dd57ffb6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ webpack-cli-path.patch
terser-webpack-plugin.patch
fix-for-jest-29.patch
fix-tsconfig.patch
+CVE-2023-28154.patch
Reply to: