Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package nim to fix #987272 [ Reason ] The package currently in Bullseye (1.4.2-1) is affected by: CVE-2021-21372 CVE-2021-21373 CVE-2021-21374 CVE-2021-29495 [ Impact ] The vulnerabilities would not be addressed [ Tests ] Run the default unit test suite and manual tests [ Risks ] Low. The security fixes has been backported from upstream releases using small quilt patches. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] N/A unblock nim/1.4.6+really1.4.2-2
diff -Nru nim-1.4.2/debian/changelog nim-1.4.6+really1.4.2/debian/changelog --- nim-1.4.2/debian/changelog 2020-12-02 13:39:46.000000000 +0000 +++ nim-1.4.6+really1.4.2/debian/changelog 2021-05-13 14:09:37.000000000 +0100 @@ -1,3 +1,17 @@ +nim (1.4.6+really1.4.2-2) unstable; urgency=medium + + * Rebuild + + -- Federico Ceratto <feder...@debian.org> Thu, 13 May 2021 14:09:37 +0100 + +nim (1.4.6+really1.4.2-1) unstable; urgency=medium + + * Upload 1.4.2 as 1.4.6+really1.4.2-1 (Closes: #987279) + * Security update for CVE-2021-21372 CVE-2021-21373 + CVE-2021-21374 CVE-2021-29495 (Closes: #87272) + + -- Federico Ceratto <feder...@debian.org> Fri, 07 May 2021 21:42:48 +0100 + nim (1.4.2-1) unstable; urgency=medium * New upstream release diff -Nru nim-1.4.2/debian/patches/check-ssl-certs.patch nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch --- nim-1.4.2/debian/patches/check-ssl-certs.patch 1970-01-01 01:00:00.000000000 +0100 +++ nim-1.4.6+really1.4.2/debian/patches/check-ssl-certs.patch 2021-05-13 14:09:37.000000000 +0100 @@ -0,0 +1,42 @@ +Subject: CVE-2021-29495 Check SSL certs by default; fix cert load error handling +Origin: vendor +Bug: https://github.com/nim-lang/security/security/advisories/GHSA-9vqv-2jj9-7mqr +Forwarded: not-needed + +--- a/lib/pure/httpclient.nim ++++ b/lib/pure/httpclient.nim +@@ -321,7 +321,7 @@ + result = defaultSslContext + when defined(ssl): + if result == nil: +- defaultSslContext = newContext(verifyMode = CVerifyNone) ++ defaultSslContext = newContext(verifyMode = CVerifyPeer) + result = defaultSslContext + doAssert result != nil, "failure to initialize the SSL context" + +--- a/lib/pure/net.nim ++++ b/lib/pure/net.nim +@@ -626,11 +626,12 @@ + discard newCTX.SSLCTXSetMode(SSL_MODE_AUTO_RETRY) + newCTX.loadCertificates(certFile, keyFile) + +- when not defined(nimDisableCertificateValidation) and not defined(windows): ++ const VerifySuccess = 1 # SSL_CTX_load_verify_locations returns 1 on success. ++ when not defined(nimDisableCertificateValidation): + if verifyMode != CVerifyNone: + # Use the caDir and caFile parameters if set + if caDir != "" or caFile != "": +- if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != 0: ++ if newCTX.SSL_CTX_load_verify_locations(caFile, caDir) != VerifySuccess: + raise newException(IOError, "Failed to load SSL/TLS CA certificate(s).") + + else: +@@ -638,7 +639,7 @@ + # the SSL_CERT_FILE and SSL_CERT_DIR env vars + var found = false + for fn in scanSSLCertificates(): +- if newCTX.SSL_CTX_load_verify_locations(fn, "") == 0: ++ if newCTX.SSL_CTX_load_verify_locations(fn, nil) == VerifySuccess: + found = true + break + if not found: diff -Nru nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch --- nim-1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch 1970-01-01 01:00:00.000000000 +0100 +++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-cert-validation-2021-21374.patch 2021-05-13 14:09:37.000000000 +0100 @@ -0,0 +1,68 @@ +Subject: Fix CVE-2021-21374 Nimble SSL certificate checking +Origin: vendor +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272 +Bug: https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx +Forwarded: not-needed + +--- a/dist/nimble/src/nimblepkg/packageinfo.nim ++++ b/dist/nimble/src/nimblepkg/packageinfo.nim +@@ -4,6 +4,7 @@ + # Stdlib imports + import system except TResult + import hashes, json, strutils, os, sets, tables, httpclient ++from net import SSLError + + # Local imports + import version, tools, common, options, cli, config +@@ -199,8 +200,12 @@ + priority = LowPriority) + + try: +- let client = newHttpClient(proxy = proxy) ++ let ctx = newSSLContext() ++ let client = newHttpClient(proxy = proxy, sslContext = ctx) + client.downloadFile(url, tempPath) ++ except SslError: ++ let message = "Failed to verify the SSL certificate for " & url ++ raiseNimbleError(message, "") + except: + let message = "Could not download: " & getCurrentExceptionMsg() + display("Warning:", message, Warning) +--- a/dist/nimble/src/nimblepkg/publish.nim ++++ b/dist/nimble/src/nimblepkg/publish.nim +@@ -7,6 +7,7 @@ + import system except TResult + import httpclient, strutils, json, os, browsers, times, uri + import version, tools, common, cli, config, options ++from net import SslCVerifyMode, newContext + + type + Auth = object +@@ -51,7 +52,8 @@ + + proc getGithubAuth(o: Options): Auth = + let cfg = o.config +- result.http = newHttpClient(proxy = getProxy(o)) ++ let ctx = newSSLContext() ++ result.http = newHttpClient(proxy = getProxy(o), sslContext = ctx) + # always prefer the environment variable to asking for a new one + if existsEnv(ApiTokenEnvironmentVariable): + result.token = getEnv(ApiTokenEnvironmentVariable) +--- a/dist/nimble/src/nimblepkg/tools.nim ++++ b/dist/nimble/src/nimblepkg/tools.nim +@@ -4,6 +4,7 @@ + # Various miscellaneous utility functions reside here. + import osproc, pegs, strutils, os, uri, sets, json, parseutils + import version, cli, options ++from net import SslCVerifyMode, newContext, SslContext + + proc extractBin(cmd: string): string = + if cmd[0] == '"': +@@ -164,3 +165,7 @@ + else: + tmpdir = getTempDir() + return tmpdir ++ ++ ++proc newSSLContext*(): SslContext = ++ return newContext(verifyMode = CVerifyPeer) diff -Nru nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch --- nim-1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch 1970-01-01 01:00:00.000000000 +0100 +++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-rce-2021-21372.patch 2021-05-13 14:09:37.000000000 +0100 @@ -0,0 +1,29 @@ +Subject: Fix CVE-2021-21372 Nimble doCmd Remote Code Execution +Origin: vendor +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272 +Bug: https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p +Forwarded: not-needed + +--- a/dist/nimble/src/nimblepkg/download.nim ++++ b/dist/nimble/src/nimblepkg/download.nim +@@ -88,7 +88,7 @@ + result = @[] + case meth + of DownloadMethod.git: +- var (output, exitCode) = doCmdEx("git ls-remote --tags " & url) ++ var (output, exitCode) = doCmdEx("git ls-remote --tags " & url.quoteShell()) + if exitCode != QuitSuccess: + raise newException(OSError, "Unable to query remote tags for " & url & + ". Git returned: " & output) +@@ -136,9 +136,9 @@ + + proc checkUrlType*(url: string): DownloadMethod = + ## Determines the download method based on the URL. +- if doCmdEx("git ls-remote " & url).exitCode == QuitSuccess: ++ if doCmdEx("git ls-remote " & url.quoteShell()).exitCode == QuitSuccess: + return DownloadMethod.git +- elif doCmdEx("hg identify " & url).exitCode == QuitSuccess: ++ elif doCmdEx("hg identify " & url.quoteShell()).exitCode == QuitSuccess: + return DownloadMethod.hg + else: + raise newException(NimbleError, "Unable to identify url: " & url) diff -Nru nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch --- nim-1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch 1970-01-01 01:00:00.000000000 +0100 +++ nim-1.4.6+really1.4.2/debian/patches/fix-nimble-urls-2021-21373.patch 2021-05-13 14:09:37.000000000 +0100 @@ -0,0 +1,45 @@ +Subject: Fix CVE-2021-21373 Nimble should use HTTPS URLs +Origin: vendor +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987272 +Bug: https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8 +Forwarded: not-needed + +--- a/dist/nimble/src/nimblepkg/config.nim ++++ b/dist/nimble/src/nimblepkg/config.nim +@@ -28,8 +28,8 @@ + result.packageLists = initTable[string, PackageList]() + let defaultPkgList = PackageList(name: "Official", urls: @[ + "https://github.com/nim-lang/packages/raw/master/packages.json";, +- "http://irclogs.nim-lang.org/packages.json";, +- "http://nim-lang.org/nimble/packages.json"; ++ "https://irclogs.nim-lang.org/packages.json";, ++ "https://nim-lang.org/nimble/packages.json"; + ]) + result.packageLists["official"] = defaultPkgList + +--- a/dist/nimble/tests/tester.nim ++++ b/dist/nimble/tests/tester.nim +@@ -122,10 +122,10 @@ + writeFile(configFile, """ + [PackageList] + name = "official" +- url = "http://google.com"; +- url = "http://google.com/404"; +- url = "http://irclogs.nim-lang.org/packages.json"; +- url = "http://nim-lang.org/nimble/packages.json"; ++ url = "https://google.com"; ++ url = "https://google.com/404"; ++ url = "https://irclogs.nim-lang.org/packages.json"; ++ url = "https://nim-lang.org/nimble/packages.json"; + url = "https://github.com/nim-lang/packages/raw/master/packages.json"; + """.unindent) + +@@ -135,7 +135,7 @@ + check exitCode == QuitSuccess + check inLines(lines, "config file at") + check inLines(lines, "official package list") +- check inLines(lines, "http://google.com";) ++ check inLines(lines, "https://google.com";) + check inLines(lines, "packages.json file is invalid") + check inLines(lines, "404 not found") + check inLines(lines, "Package list downloaded.") diff -Nru nim-1.4.2/debian/patches/series nim-1.4.6+really1.4.2/debian/patches/series --- nim-1.4.2/debian/patches/series 2020-12-02 13:39:46.000000000 +0000 +++ nim-1.4.6+really1.4.2/debian/patches/series 2021-05-13 14:09:37.000000000 +0100 @@ -1,4 +1,5 @@ #dont-build-remote-website.patch +check-ssl-certs.patch fix-makefile-unsupported-arch.patch #fix-gnu-kfreebsd.patch #do-not-clone-nimble.patch @@ -6,3 +7,6 @@ #fix-broken-release fix-big-endian.patch #set-nimdoc-css-location.patch +fix-nimble-rce-2021-21372.patch +fix-nimble-urls-2021-21373.patch +fix-nimble-cert-validation-2021-21374.patch
