--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-webpack@packages.debian.org
Control: affects -1 + src:node-webpack
[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).
[ Impact ]
Medium security issue
[ Tests ]
Test updated, passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd <yadd@debian.org> Mon, 29 May 2023 07:53:16 +0400
+
node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index 00000000..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works <jackworks@protonmail.com>
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
++++ b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+ if (importOptions.webpackInclude !== undefined) {
+ if (
+ !importOptions.webpackInclude ||
+- importOptions.webpackInclude.constructor.name !== "RegExp"
++ !(importOptions.webpackInclude instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+ )
+ );
+ } else {
+- include = new RegExp(importOptions.webpackInclude);
++ include = importOptions.webpackInclude;
+ }
+ }
+ if (importOptions.webpackExclude !== undefined) {
+ if (
+ !importOptions.webpackExclude ||
+- importOptions.webpackExclude.constructor.name !== "RegExp"
++ !(importOptions.webpackExclude instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+ )
+ );
+ } else {
+- exclude = new RegExp(importOptions.webpackExclude);
++ exclude = importOptions.webpackExclude;
+ }
+ }
+ if (importOptions.webpackExports !== undefined) {
+--- a/lib/javascript/JavascriptParser.js
++++ b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+ return EMPTY_COMMENT_OPTIONS;
+ }
+ let options = {};
++ /** @type {unknown[]} */
+ let errors = [];
+ for (const comment of comments) {
+ const { value } = comment;
+ if (value && webpackCommentRegExp.test(value)) {
+ // try compile only if webpack options comment is present
+ try {
+- const val = vm.runInNewContext(`(function(){return {${value}};})()`);
+- Object.assign(options, val);
++ for (let [key, val] of Object.entries(
++ vm.runInNewContext(`(function(){return {${value}};})()`)
++ )) {
++ if (typeof val === "object" && val !== null) {
++ if (val.constructor.name === "RegExp") val = new RegExp(val);
++ else val = JSON.parse(JSON.stringify(val));
++ }
++ options[key] = val;
++ }
+ } catch (e) {
+- e.comment = comment;
+- errors.push(e);
++ const newErr = new Error(String(e.message));
++ newErr.stack = String(e.stack);
++ Object.assign(newErr, { comment });
++ errors.push(newErr);
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 16f26f45..dd57ffb6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ webpack-cli-path.patch
terser-webpack-plugin.patch
fix-for-jest-29.patch
fix-tsconfig.patch
+CVE-2023-28154.patch
--- End Message ---