Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:node-proxy-agents User: [email protected] Usertags: pu
[ Reason ] node-proxy-agents enbeds basic-ftp which is vulnerable to CVE-2026-27699[0]: | The `basic-ftp` FTP client library for Node.js contains a path | traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the | `downloadToDir()` method. A malicious FTP server can send directory | listings with filenames containing path traversal sequences (`../`) | that cause files to be written outside the intended download | directory. Version 5.2.0 patches the issue. [ Impact ] High security issue [ Tests ] Tests pass, non new test. [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just verify that file target isn't outside main directory Best regards, Xavier
diff --git a/debian/changelog b/debian/changelog index 80e675c..e12d92e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-proxy-agents (0~2024040606-6+deb13u1) trixie; urgency=medium + + * Team upload + * Fix basic-ftp traversal vulnerability (Closes: #1129093, CVE-2026-27699) + + -- Yadd <[email protected]> Fri, 27 Feb 2026 07:58:26 +0100 + node-proxy-agents (0~2024040606-6) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2026-27699.patch b/debian/patches/CVE-2026-27699.patch new file mode 100644 index 0000000..9b7d881 --- /dev/null +++ b/debian/patches/CVE-2026-27699.patch @@ -0,0 +1,32 @@ +From: Patrick Juchli <[email protected]> +Date: feb., 23 2026 09:01:12 +0100 +Subject: [PATCH] Skip invalid filenames +Origin: upstream, https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e65 +Bug: https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c +Bug-Debian: https://bugs.debian.org/1129093 +Forwarded: not-needed +Applied-Upstream: 5.2.0, commit:2a2a0e65 +Reviewed-By: Yadd <[email protected]> + +--- a/basic-ftp/src/Client.ts ++++ b/basic-ftp/src/Client.ts +@@ -1,5 +1,5 @@ + import { createReadStream, createWriteStream, mkdir, readdir, stat, open, close, unlink } from "fs" +-import { join } from "path" ++import { basename, join } from "path" + import { Readable, Writable } from "stream" + import { connect as connectTLS, ConnectionOptions as TLSConnectionOptions } from "tls" + import { promisify } from "util" +@@ -694,6 +694,12 @@ + protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> { + await ensureLocalDirectory(localDirPath) + for (const file of await this.list()) { ++ const hasInvalidName = !file.name || basename(file.name) !== file.name ++ if (hasInvalidName) { ++ const safeName = JSON.stringify(file.name) ++ this.ftp.log(`Invalid filename from server listing, will skip file. (${safeName})`) ++ continue ++ } + const localPath = join(localDirPath, file.name) + if (file.isDirectory) { + await this.cd(file.name) diff --git a/debian/patches/series b/debian/patches/series index a1ce508..11cd8b5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ use-quickjs-emscripten.patch tsc-workaround.patch 0004-Use-modern-lru-cache.patch 0005-get-uri-compilation.patch +CVE-2026-27699.patch
