Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-y...@packages.debian.org Control: affects -1 + src:node-yaml
Please unblock package node-yaml [ Reason ] node-yaml is vulnerable to Denial-of-Service (#1035580, CVE-2023-2251) [ Impact ] Medium security issue [ Tests ] New tests added: - by upstream in the CVE-2023-2251.patch file - by myself in autopkgtest using code provided to prove the issue You can verify using https://salsa.debian.org/js-team/node-yaml/-/pipelines that the CVE is fixed by this patch. [ Risks ] Low risk, patch is trivial (just fix line characters count) [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Others ] This debdiff includes also: * little things from lintian-brush * a little test paths fix because test failed on platforms where the "debian" word was in the build root path (especially salsa) Cheers, Yadd unblock node-yaml/2.1.3-2
diff --git a/debian/changelog b/debian/changelog index 3265e73..5d44f16 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +node-yaml (2.1.3-2) unstable; urgency=medium + + * Team upload + * Update lintian override info format in + d/source/lintian-overrides on line 2-7 + * Update standards version to 4.6.2, no changes needed + * Fix corner case failure in error pretty-printer + (Closes: #1035580, CVE-2023-2251) + + -- Yadd <y...@debian.org> Sun, 07 May 2023 00:10:19 +0400 + node-yaml (2.1.3-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 0a7fe7e..e221de8 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Build-Depends: , node-tslib <!nocheck> , node-typescript <!nocheck> , rollup -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Homepage: https://eemeli.org/yaml/ Vcs-Git: https://salsa.debian.org/js-team/node-yaml.git Vcs-Browser: https://salsa.debian.org/js-team/node-yaml diff --git a/debian/patches/CVE-2023-2251.patch b/debian/patches/CVE-2023-2251.patch new file mode 100644 index 0000000..0d8b1d4 --- /dev/null +++ b/debian/patches/CVE-2023-2251.patch @@ -0,0 +1,36 @@ +Description: fix: Corner case failure in error pretty-printer +Author: Eemeli Aro <eem...@gmail.com> +Origin: upstream, https://github.com/eemeli/yaml/commit/984f5781 +Bug: https://github.com/advisories/GHSA-f9xv-q969-pqx4 +Bug-Debian: https://bugs.debian.org/1035580 +Forwarded: not-needed +Applied-Upstream: 2.2.2, commit:984f5781 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-05-06 + +--- a/src/errors.ts ++++ b/src/errors.ts +@@ -91,7 +91,7 @@ + let count = 1 + const end = error.linePos[1] + if (end && end.line === line && end.col > col) { +- count = Math.min(end.col - col, 80 - ci) ++ count = Math.max(1, Math.min(end.col - col, 80 - ci)) + } + const pointer = ' '.repeat(ci) + '^'.repeat(count) + error.message += `:\n\n${lineStr}\n${pointer}\n` +--- a/tests/doc/errors.js ++++ b/tests/doc/errors.js +@@ -341,6 +341,12 @@ + const doc = YAML.parseDocument(src, { prettyErrors: true }) + expect(doc.warnings).toMatchObject([{ name: 'YAMLWarning' }]) + }) ++ ++ test('repeated CR', () => { ++ const src = '[' + '\r'.repeat(80) ++ const doc = YAML.parseDocument(src, { prettyErrors: true }) ++ expect(doc.errors[0]).not.toHaveProperty('source') ++ }) + }) + + describe('tags on invalid nodes', () => { diff --git a/debian/patches/series b/debian/patches/series index 053c2da..e2d7781 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ fix-test.patch fix-for-rollup-3.patch +CVE-2023-2251.patch diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 7c118d4..b78412d 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,10 +1,10 @@ # False positive: test data -source-is-missing *tests/doc/YAML-1.2.spec.js* -source-is-missing *tests/doc/foldFlowLines.js* -source-contains-prebuilt-javascript-object *tests/doc/YAML-1.2.spec.js* -source-contains-prebuilt-javascript-object *tests/doc/foldFlowLines.js* -source-is-missing *debian/tests/test_modules/* -source-contains-prebuilt-javascript-object *debian/tests/test_modules/* +source-is-missing [*tests/doc/YAML-1.2.spec.js*] +source-is-missing [*tests/doc/foldFlowLines.js*] +source-contains-prebuilt-javascript-object [*tests/doc/YAML-1.2.spec.js*] +source-contains-prebuilt-javascript-object [*tests/doc/foldFlowLines.js*] +source-is-missing [*debian/tests/test_modules/*] +source-contains-prebuilt-javascript-object [*debian/tests/test_modules/*] very-long-line-length-in-source-file *tests/doc/YAML-1.2.spec.js* very-long-line-length-in-source-file *tests/doc/foldFlowLines.js* very-long-line-length-in-source-file *debian/tests/test_modules/* diff --git a/debian/tests/CVE-2023-2251 b/debian/tests/CVE-2023-2251 new file mode 100755 index 0000000..819869e --- /dev/null +++ b/debian/tests/CVE-2023-2251 @@ -0,0 +1,6 @@ +#!/usr/bin/node + +process.chdir('/'); +const yaml = require("/usr/share/nodejs/yaml"); +const string = "[" + "\r".repeat(80); +yaml.parseDocument(string); diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..34bba78 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,2 @@ +Tests: CVE-2023-2251 +Depends: @, nodejs diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test index 8d2da7d..6bd4f1a 100644 --- a/debian/tests/pkg-js/test +++ b/debian/tests/pkg-js/test @@ -1,5 +1,5 @@ # Test -jest --config config/jest.config.js --ci --testPathIgnorePatterns tests/yaml-test-suite.ts tests/_utils.ts tests/json-test-suite.ts .pc/ debian/ +jest --config config/jest.config.js --ci --testPathIgnorePatterns tests/yaml-test-suite.ts tests/_utils.ts tests/json-test-suite.ts .pc/ debian/tests/ # Types test tsc --allowJs --moduleResolution node --noEmit --target es5 dist/index.js
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
