Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] grunt is vulnerable to a medium CVE (CVE-2020-7729, #969668) [ Impact ] The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML. [ Tests ] Patch contains new upstream test. autopkgtest is OK [ Risks ] Low risk: the patch just adds some checks [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Upstream patch is imported without changes. It adds some checks during YAML file read and a little test. [ Other info ] Thanks for your work!
diff --git a/debian/changelog b/debian/changelog index eaf56cc..f15438c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +grunt (1.0.1-8+deb10u1) buster; urgency=medium + + * Team upload + * Use `safeLoad` for loading YML files via `file.readYAML` + (Closes: #969668, CVE-2020-7729) + + -- Xavier Guimard <y...@debian.org> Sun, 06 Sep 2020 23:41:10 +0200 + grunt (1.0.1-8) unstable; urgency=medium [ Harish K ] diff --git a/debian/patches/CVE-2020-7729.patch b/debian/patches/CVE-2020-7729.patch new file mode 100644 index 0000000..64bed12 --- /dev/null +++ b/debian/patches/CVE-2020-7729.patch @@ -0,0 +1,53 @@ +Description: Switch to use `safeLoad` for loading YML files via `file.readYAML`. +Author: Vlad Filippov <vlad.filip...@gmail.com> +Origin: upstream, https://github.com/gruntjs/grunt/commit/e350cea1 +Bug: https://snyk.io/vuln/SNYK-JS-GRUNT-597546 +Bug-Debian: https://bugs.debian.org/969668 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-09-06 + +--- a/lib/grunt/file.js ++++ b/lib/grunt/file.js +@@ -252,12 +252,21 @@ + }; + + // Read a YAML file, parse its contents, return an object. +-file.readYAML = function(filepath, options) { ++file.readYAML = function(filepath, options, yamlOptions) { ++ if (!options) { options = {}; } ++ if (!yamlOptions) { yamlOptions = {}; } ++ + var src = file.read(filepath, options); + var result; + grunt.verbose.write('Parsing ' + filepath + '...'); + try { +- result = YAML.load(src); ++ // use the recommended way of reading YAML files ++ // https://github.com/nodeca/js-yaml#safeload-string---options- ++ if (yamlOptions.unsafeLoad) { ++ result = YAML.load(src); ++ } else { ++ result = YAML.safeLoad(src); ++ } + grunt.verbose.ok(); + return result; + } catch (e) { +--- a/test/grunt/file_test.js ++++ b/test/grunt/file_test.js +@@ -452,10 +452,13 @@ + test.done(); + }, + 'readYAML': function(test) { +- test.expect(3); ++ test.expect(4); + var obj; + obj = grunt.file.readYAML('test/fixtures/utf8.yaml'); +- test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.'); ++ test.deepEqual(obj, this.object, 'file should be safely read as utf8 by default and parsed correctly.'); ++ ++ obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true}); ++ test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by default and parsed correctly.'); + + obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'}); + test.deepEqual(obj, this.object, 'file should be read using the specified encoding.'); diff --git a/debian/patches/series b/debian/patches/series index fcd76bd..a874060 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ add-root-variable.patch reproducible-build.patch adapt-gruntfile.patch +CVE-2020-7729.patch
