On 5/28/23 10:29, Graham Inggs wrote:
tags -1 + moreinfo
Hi Yadd
On Wed, 3 May 2023 at 04:51, Yadd <y...@debian.org> wrote:
here is the current debdiff (without the big removal of useless
discoveryjs-json-ext/benchmarks)
I removed the moreinfo tag before realizing this is exactly the same
as the first debdiff.
You seem to have missed this comment:
On Wed, 15 Mar 2023 at 22:15, Paul Gevers <elb...@debian.org> wrote:
This doesn't look like a targeted fix, but rather seems to include much
more.
How about reverting and providing a fix only for that CVE please?
Hi,
instead of reverting and have a too long version
(5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload
to bookworm is allowed, I'm able to push this debdiff.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd <y...@debian.org> Mon, 29 May 2023 07:53:16 +0400
+
node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-28154.patch
b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index 00000000..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works <jackwo...@protonmail.com>
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
++++ b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+ if (importOptions.webpackInclude !== undefined)
{
+ if (
+ !importOptions.webpackInclude ||
+-
importOptions.webpackInclude.constructor.name !== "RegExp"
++ !(importOptions.webpackInclude
instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new
UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+ )
+ );
+ } else {
+- include = new
RegExp(importOptions.webpackInclude);
++ include =
importOptions.webpackInclude;
+ }
+ }
+ if (importOptions.webpackExclude !== undefined)
{
+ if (
+ !importOptions.webpackExclude ||
+-
importOptions.webpackExclude.constructor.name !== "RegExp"
++ !(importOptions.webpackExclude
instanceof RegExp)
+ ) {
+ parser.state.module.addWarning(
+ new
UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+ )
+ );
+ } else {
+- exclude = new
RegExp(importOptions.webpackExclude);
++ exclude =
importOptions.webpackExclude;
+ }
+ }
+ if (importOptions.webpackExports !== undefined)
{
+--- a/lib/javascript/JavascriptParser.js
++++ b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+ return EMPTY_COMMENT_OPTIONS;
+ }
+ let options = {};
++ /** @type {unknown[]} */
+ let errors = [];
+ for (const comment of comments) {
+ const { value } = comment;
+ if (value && webpackCommentRegExp.test(value)) {
+ // try compile only if webpack options comment
is present
+ try {
+- const val =
vm.runInNewContext(`(function(){return {${value}};})()`);
+- Object.assign(options, val);
++ for (let [key, val] of Object.entries(
++
vm.runInNewContext(`(function(){return {${value}};})()`)
++ )) {
++ if (typeof val === "object" &&
val !== null) {
++ if
(val.constructor.name === "RegExp") val = new RegExp(val);
++ else val =
JSON.parse(JSON.stringify(val));
++ }
++ options[key] = val;
++ }
+ } catch (e) {
+- e.comment = comment;
+- errors.push(e);
++ const newErr = new
Error(String(e.message));
++ newErr.stack = String(e.stack);
++ Object.assign(newErr, { comment });
++ errors.push(newErr);
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 16f26f45..dd57ffb6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ webpack-cli-path.patch
terser-webpack-plugin.patch
fix-for-jest-29.patch
fix-tsconfig.patch
+CVE-2023-28154.patch
