Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] grunt is vulnerable to path traversal [ Impact ] Medium security issue [ Tests ] Test passed, including new test [ Risks ] low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Copy files and directories instead of symbolic links [ Other info ] Upstream patch applied without any change Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index a28861f..23c3145 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +grunt (1.3.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix path traversal (Closes: #1009676, CVE-2022-0436) + + -- Yadd <y...@debian.org> Tue, 26 Apr 2022 16:38:52 +0200 + grunt (1.3.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-0436.patch b/debian/patches/CVE-2022-0436.patch new file mode 100644 index 0000000..e10a16d --- /dev/null +++ b/debian/patches/CVE-2022-0436.patch @@ -0,0 +1,81 @@ +Description: Handles symlinks by coping them as files or directories + This fixes "Path Traversal in GitHub repository gruntjs/grunt" +Author: Vlad Filippov <vlad.filip...@gmail.com> +Origin: upstream, https://github.com/gruntjs/grunt/commit/aad3d452 +Bug: https://huntr.dev/bounties/f55315e9-9f6d-4dbb-8c40-bae50c1ae92b +Bug-Debian: https://bugs.debian.org/1009676 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-04-26 + +--- a/lib/grunt/file.js ++++ b/lib/grunt/file.js +@@ -292,8 +292,11 @@ + // Read a file, optionally processing its content, then write the output. + // Or read a directory, recursively creating directories, reading files, + // processing content, writing output. ++// Handles symlinks by coping them as files or directories. + file.copy = function copy(srcpath, destpath, options) { +- if (file.isDir(srcpath)) { ++ if (file._isSymbolicLink(srcpath)) { ++ file._copySymbolicLink(srcpath, destpath); ++ } else if (file.isDir(srcpath)) { + // Copy a directory, recursively. + // Explicitly create new dest directory. + file.mkdir(destpath); +@@ -449,6 +452,24 @@ + } + }; + ++file._isSymbolicLink = function() { ++ var filepath = path.join.apply(path, arguments); ++ return fs.lstatSync(filepath).isSymbolicLink(); ++}; ++ ++file._copySymbolicLink = function(srcpath, destpath) { ++ var destdir = path.join(destpath, '..'); ++ var fileBase = path.basename(srcpath); ++ // Use the correct relative path for the symlink ++ if (!grunt.file.isPathAbsolute(srcpath)) { ++ srcpath = path.relative(destdir, srcpath) || '.'; ++ } ++ file.mkdir(destdir); ++ var mode = grunt.file.isDir(srcpath) ? 'dir' : 'file'; ++ var destpath = path.join(destpath, fileBase); ++ return fs.symlinkSync(srcpath, destpath, mode); ++}; ++ + // Test to see if a filepath is contained within the CWD. + file.isPathInCwd = function() { + var filepath = path.join.apply(path, arguments); +--- a/test/grunt/file_test.js ++++ b/test/grunt/file_test.js +@@ -893,5 +893,28 @@ + test.ok(grunt.file.isPathInCwd(path.resolve('deep')), 'subdirectory is in cwd'); + test.done(); + }, ++ 'symbolicLinkCopy': function(test) { ++ test.expect(4); ++ var srcfile = new Tempdir(); ++ fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(srcfile.path, 'octocat.png'), 'file'); ++ // test symlink copy for files ++ var destdir = new Tempdir(); ++ grunt.file.copy(path.join(srcfile.path, 'octocat.png'), destdir.path); ++ test.ok(fs.lstatSync(path.join(srcfile.path, 'octocat.png')).isSymbolicLink()); ++ test.ok(fs.lstatSync(path.join(destdir.path, 'octocat.png')).isSymbolicLink()); ++ ++ // test symlink copy for directories ++ var srcdir = new Tempdir(); ++ var destdir = new Tempdir(); ++ var fixtures = path.resolve('test/fixtures'); ++ var symlinkSource = path.join(srcdir.path, path.basename(fixtures)); ++ console.log('symlinkSource', symlinkSource); ++ fs.symlinkSync(fixtures, symlinkSource, 'dir'); ++ ++ grunt.file.copy(symlinkSource, destdir.path); ++ test.ok(fs.lstatSync(symlinkSource).isSymbolicLink()); ++ test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink()); ++ test.done(); ++ }, + } + }; diff --git a/debian/patches/series b/debian/patches/series index b8abb97..24fd9f9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ add-root-variable.patch fix-for-coffescript.diff adapt-gruntfile.patch +CVE-2022-0436.patch
