Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: gr...@packages.debian.org Control: affects -1 + src:grunt
[ Reason ] file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root. [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk: patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Refuse to copy a file if destination is a symlink Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 23c3145..dcebea4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +grunt (1.3.0-1+deb11u2) bullseye; urgency=medium + + * Team upload + * Patch up race condition in symlink copying (Closes: CVE-2022-1537) + + -- Yadd <y...@debian.org> Wed, 31 May 2023 14:59:30 +0400 + grunt (1.3.0-1+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-1537.patch b/debian/patches/CVE-2022-1537.patch new file mode 100644 index 0000000..19c750b --- /dev/null +++ b/debian/patches/CVE-2022-1537.patch @@ -0,0 +1,39 @@ +Description: Patch up race condition in symlink copying +Author: Vlad Filippov <vlad.filip...@gmail.com> +Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa +Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/ +Forwarded: not-needed +Applied-Upstream: 1.5.3, commit:58016ffa +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-05-31 + +--- a/lib/grunt/file.js ++++ b/lib/grunt/file.js +@@ -333,8 +333,8 @@ + } + } + // Abort copy if the process function returns false. +- if (contents === false) { +- grunt.verbose.writeln('Write aborted.'); ++ if (contents === false || file.isLink(destpath)) { ++ grunt.verbose.writeln('Write aborted. Either the process function returned false or the destination is a symlink'); + } else { + file.write(destpath, contents, readWriteOptions); + } +--- a/test/grunt/file_test.js ++++ b/test/grunt/file_test.js +@@ -916,5 +916,13 @@ + test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink()); + test.done(); + }, +- } ++ }, ++ 'symbolicLinkDestError': function(test) { ++ test.expect(1); ++ var tmpfile = new Tempdir(); ++ fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png'), 'file'); ++ grunt.file.copy(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png')); ++ test.ok(fs.lstatSync(path.join(tmpfile.path, 'octocat.png')).isSymbolicLink()); ++ test.done(); ++ }, + }; diff --git a/debian/patches/series b/debian/patches/series index 24fd9f9..6231471 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ add-root-variable.patch fix-for-coffescript.diff adapt-gruntfile.patch CVE-2022-0436.patch +CVE-2022-1537.patch
