Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
Please unblock package underscore [ Reason ] underscore is vulnerable to arbitrary code execution (#986171, CVE-2021-23358) [ Impact ] CVE provided a PoC to prove arbitrary code execution [ Tests ] I added a test to prove that bug is fixed (based on PoC). Test fails with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2 [ Risks ] Patch is trivial. Note: I imported also Janitor changes: this breaks nothing [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other ] I downgrade autopkgtest to "superficial" since nothing was really tested (just a node "require"). That's why I'm filing this ;-) Regards, Yadd unblock underscore/1.9.1~dfsg-2
diff --git a/debian/changelog b/debian/changelog index 02cd807..fed9aa8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,26 @@ +underscore (1.9.1~dfsg-2) unstable; urgency=medium + + * Team upload + + [ Debian Janitor ] + * Bump debhelper dependency to >= 9, since that's what is used in + debian/compat. + * Bump debhelper from old 9 to 12. + * Set debhelper-compat version in Build-Depends. + * Set upstream metadata fields: Bug-Database, Repository, Repository- + Browse. + * Update standards version to 4.4.1, no changes needed. + * Set upstream metadata fields: Bug-Submit. + * Update standards version to 4.5.0, no changes needed. + * Apply multi-arch hints. + + node-underscore: Add Multi-Arch: foreign. + + [ Yadd ] + * Mark autopkgtest as superficial + * Fix arbitrary code execution and add a test (Closes: #986171) + + -- Yadd <y...@debian.org> Tue, 30 Mar 2021 22:40:59 +0200 + underscore (1.9.1~dfsg-1) unstable; urgency=medium [ upstream ] diff --git a/debian/compat b/debian/compat deleted file mode 100644 index ec63514..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -9 diff --git a/debian/control b/debian/control index cb1e7e9..fc1d26b 100644 --- a/debian/control +++ b/debian/control @@ -7,11 +7,11 @@ Uploaders: David Paleino <da...@debian.org>, Build-Depends: brotli, - debhelper, + debhelper-compat (= 12), node-source-map, pigz, uglifyjs (>= 3), -Standards-Version: 4.3.0 +Standards-Version: 4.5.0 Homepage: https://underscorejs.org/ Vcs-Browser: https://salsa.debian.org/js-team/underscore Vcs-Git: https://salsa.debian.org/js-team/underscore.git @@ -44,6 +44,7 @@ Depends: libjs-underscore, nodejs, ${misc:Depends}, +Multi-Arch: foreign Description: JavaScript's functional programming helper library - NodeJS Underscore is a utility-belt library for JavaScript that provides a lot of the functional programming support that you would expect in diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch new file mode 100644 index 0000000..2ba4118 --- /dev/null +++ b/debian/patches/CVE-2021-23358.patch @@ -0,0 +1,62 @@ +Description: fix arbitrary code execution +Author: Julian Gonggrijp <d...@juliangonggrijp.com> +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 +Bug-Debian: https://bugs.debian.org/986171 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2021-03-30 + +--- a/underscore.js ++++ b/underscore.js +@@ -1550,6 +1550,13 @@ + return '\\' + escapes[match]; + }; + ++ // In order to prevent third-party code injection through ++ // `_.templateSettings.variable`, we test it against the following regular ++ // expression. It is intentionally a bit more liberal than just matching valid ++ // identifiers, but still prevents possible loopholes through defaults or ++ // destructuring assignment. ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/; ++ + // JavaScript micro-templating, similar to John Resig's implementation. + // Underscore templating handles arbitrary delimiters, preserves whitespace, + // and correctly escapes quotes within interpolated code. +@@ -1585,8 +1592,17 @@ + }); + source += "';\n"; + +- // If a variable is not specified, place data values in local scope. +- if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n'; ++ var argument = settings.variable; ++ if (argument) { ++ // Insure against third-party code injection. ++ if (!bareIdentifier.test(argument)) throw new Error( ++ 'variable is not a bare identifier: ' + argument ++ ); ++ } else { ++ // If a variable is not specified, place data values in local scope. ++ source = 'with(obj||{}){\n' + source + '}\n'; ++ argument = 'obj'; ++ } + + source = "var __t,__p='',__j=Array.prototype.join," + + "print=function(){__p+=__j.call(arguments,'');};\n" + +@@ -1594,7 +1610,7 @@ + + var render; + try { +- render = new Function(settings.variable || 'obj', '_', source); ++ render = new Function(argument, '_', source); + } catch (e) { + e.source = source; + throw e; +@@ -1605,7 +1621,6 @@ + }; + + // Provide the compiled source as a convenience for precompilation. +- var argument = settings.variable || 'obj'; + template.source = 'function(' + argument + '){\n' + source + '}'; + + return template; diff --git a/debian/patches/series b/debian/patches/series index da362d2..7ddac86 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 2001_docs_privacy.patch +CVE-2021-23358.patch diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358 new file mode 100755 index 0000000..a2ae590 --- /dev/null +++ b/debian/tests/CVE-2021-23358 @@ -0,0 +1,11 @@ +#!/bin/sh + +if node debian/tests/CVE-2021-23358.js 2>/dev/null; then + rm -f HELLO + echo 'Vulnerable to CVE-2021-23358' >&2 + exit 1 +else + echo + echo 'Not vulnerable to CVE-2021-23358' + exit 0 +fi diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js new file mode 100644 index 0000000..fad7c77 --- /dev/null +++ b/debian/tests/CVE-2021-23358.js @@ -0,0 +1,3 @@ +const _ = require('underscore'); +_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')"; +const t = _.template("")(); diff --git a/debian/tests/control b/debian/tests/control index 7275831..868aa31 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1 +1,7 @@ Test-Command: node -e "require('underscore');" +Depends: @ +Restrictions: superficial + +Tests: CVE-2021-23358 +Depends: @ +Restrictions: superficial diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..ae91ed7 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,4 @@ +Bug-Database: https://github.com/jashkenas/underscore/issues +Repository: https://github.com/jashkenas/underscore.git +Repository-Browse: https://github.com/jashkenas/underscore +Bug-Submit: https://github.com/jashkenas/underscore/issues/new