On 1/31/25 07:29, Salvatore Bonaccorso wrote:
Hi,
Thanks for your reply.
Disclaimer not part of the release team.
On Fri, Jan 31, 2025 at 07:22:36AM +0100, Yadd wrote:
On 1/30/25 22:26, Salvatore Bonaccorso wrote:
Hi,
On Thu, Jan 30, 2025 at 06:55:08PM +0100, Yadd wrote:
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-ax...@packages.debian.org
Control: affects -1 + src:node-axios
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
URL object when determining an origin, and has a potentially
unwanted setAttribute('href',href) call.
[...]
Do you know what happened to the 1.2.1+dfsg-1+deb12u1 version?
According to the git commit this was aimed to fix CVE-2023-45857 via a
point release as well but never got uploaded?
Regards,
Salvatore
Hi,
I don't remember what happened here.
Ok, guess no worries. Stable release managers, there is a previous
change as well which fixes another no-dsa change which should be
included.
Xavier, maybe you can post the debdiff additionally to the version
which is currently in stable to get the full view.
Regards,
Salvatore
Yes of course, here it is. I can group changelog if you want
diff --git a/debian/changelog b/debian/changelog
index c5ce5d4..5c966ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+node-axios (1.2.1+dfsg-1+deb12u2) bookworm; urgency=medium
+
+ * Team upload
+ * Fix potential vulnerability in URL when determining an origin
+ (Closes: #1094731, CVE-2024-57965)
+
+ -- Yadd <y...@debian.org> Thu, 30 Jan 2025 18:52:13 +0100
+
+node-axios (1.2.1+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Fix CSRF vulnerability (Closes: #1056099, CVE-2023-45857)
+
+ -- Yadd <y...@debian.org> Tue, 21 Nov 2023 09:11:35 +0400
+
node-axios (1.2.1+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-45857.patch
b/debian/patches/CVE-2023-45857.patch
new file mode 100644
index 0000000..33d3b44
--- /dev/null
+++ b/debian/patches/CVE-2023-45857.patch
@@ -0,0 +1,43 @@
+Description: fixed CSRF vulnerability CVE-2023-45857 (#6028)
+Author: Valentin Panov <valentin.pa...@me.com>
+Origin: upstream, https://github.com/axios/axios/commit/96ee232b
+Bug: https://github.com/axios/axios/issues/6006
+Bug-Debian: https://bugs.debian.org/1056099
+Forwarded: not-needed
+Applied-Upstream: 1.6.0, commit:96ee232b
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-11-21
+
+--- a/lib/adapters/xhr.js
++++ b/lib/adapters/xhr.js
+@@ -179,8 +179,8 @@
+ // Specifically not if we're in a web worker, or react-native.
+ if (platform.isStandardBrowserEnv) {
+ // Add xsrf header
+- const xsrfValue = (config.withCredentials || isURLSameOrigin(fullPath))
+- && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
++ // regarding CVE-2023-45857 config.withCredentials condition was
removed temporarily
++ const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName &&
cookies.read(config.xsrfCookieName);
+
+ if (xsrfValue) {
+ requestHeaders.set(config.xsrfHeaderName, xsrfValue);
+--- a/test/specs/xsrf.spec.js
++++ b/test/specs/xsrf.spec.js
+@@ -67,7 +67,7 @@
+ });
+ });
+
+- it('should set xsrf header for cross origin when using withCredentials',
function (done) {
++ it('should not set xsrf header for cross origin when using
withCredentials', function (done) {
+ document.cookie = axios.defaults.xsrfCookieName + '=12345';
+
+ axios('http://example.com/', {
+@@ -75,7 +75,7 @@
+ });
+
+ getAjaxRequest().then(function (request) {
+-
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual('12345');
++
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined);
+ done();
+ });
+ });
diff --git a/debian/patches/CVE-2024-57965.patch
b/debian/patches/CVE-2024-57965.patch
new file mode 100644
index 0000000..a1d9478
--- /dev/null
+++ b/debian/patches/CVE-2024-57965.patch
@@ -0,0 +1,91 @@
+Description: use URL API instead of DOM to fix a potential vulnerability
warning
+Author: Dmitriy Mozgovoy <robotsh...@gmail.com>
+Origin: upstream, https://github.com/axios/axios/commit/0a8d6e19
+Bug: https://github.com/axios/axios/issues/6714
+Bug-Debian: https://bugs.debian.org/1094731
+Forwarded: not-needed
+Applied-Upstream: 1.7.8, commit:0a8d6e19
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2025-01-30
+
+--- a/lib/helpers/isURLSameOrigin.js
++++ b/lib/helpers/isURLSameOrigin.js
+@@ -1,67 +1,16 @@
+ 'use strict';
+
+-import utils from './../utils.js';
+ import platform from '../platform/index.js';
+
+-export default platform.isStandardBrowserEnv ?
++export default platform.hasStandardBrowserEnv ? ((origin, isMSIE) => (url) =>
{
++ url = new URL(url, platform.origin);
+
+-// Standard browser envs have full support of the APIs needed to test
+-// whether the request URL is of the same origin as current location.
+- (function standardBrowserEnv() {
+- const msie = /(msie|trident)/i.test(navigator.userAgent);
+- const urlParsingNode = document.createElement('a');
+- let originURL;
+-
+- /**
+- * Parse a URL to discover it's components
+- *
+- * @param {String} url The URL to be parsed
+- * @returns {Object}
+- */
+- function resolveURL(url) {
+- let href = url;
+-
+- if (msie) {
+- // IE needs attribute set twice to normalize properties
+- urlParsingNode.setAttribute('href', href);
+- href = urlParsingNode.href;
+- }
+-
+- urlParsingNode.setAttribute('href', href);
+-
+- // urlParsingNode provides the UrlUtils interface -
http://url.spec.whatwg.org/#urlutils
+- return {
+- href: urlParsingNode.href,
+- protocol: urlParsingNode.protocol ?
urlParsingNode.protocol.replace(/:$/, '') : '',
+- host: urlParsingNode.host,
+- search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/,
'') : '',
+- hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') :
'',
+- hostname: urlParsingNode.hostname,
+- port: urlParsingNode.port,
+- pathname: (urlParsingNode.pathname.charAt(0) === '/') ?
+- urlParsingNode.pathname :
+- '/' + urlParsingNode.pathname
+- };
+- }
+-
+- originURL = resolveURL(window.location.href);
+-
+- /**
+- * Determine if a URL shares the same origin as the current location
+- *
+- * @param {String} requestURL The URL to test
+- * @returns {boolean} True if URL shares the same origin, otherwise false
+- */
+- return function isURLSameOrigin(requestURL) {
+- const parsed = (utils.isString(requestURL)) ? resolveURL(requestURL) :
requestURL;
+- return (parsed.protocol === originURL.protocol &&
+- parsed.host === originURL.host);
+- };
+- })() :
+-
+- // Non standard browser envs (web workers, react-native) lack needed
support.
+- (function nonStandardBrowserEnv() {
+- return function isURLSameOrigin() {
+- return true;
+- };
+- })();
++ return (
++ origin.protocol === url.protocol &&
++ origin.host === url.host &&
++ (isMSIE || origin.port === url.port)
++ );
++})(
++ new URL(platform.origin),
++ platform.navigator && /(msie|trident)/i.test(platform.navigator.userAgent)
++) : () => true;
diff --git a/debian/patches/series b/debian/patches/series
index f2cc651..120eb8d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@ privacy.patch
update-test-for-formidable-3.patch
update-rollup-plugins.patch
reproducible.patch
+CVE-2023-45857.patch
+CVE-2024-57965.patch
