Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack
[ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Regards, Yadd
diff --git a/debian/changelog b/debian/changelog index 0053d7ee..a07dd9d4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154) + + -- Yadd <y...@debian.org> Mon, 29 May 2023 07:53:16 +0400 + node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch new file mode 100644 index 00000000..2f651167 --- /dev/null +++ b/debian/patches/CVE-2023-28154.patch @@ -0,0 +1,80 @@ +Description: avoid cross-realm objects +Author: Jack Works <jackwo...@protonmail.com> +Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb +Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154 +Bug-Debian: https://bugs.debian.org/1032904 +Forwarded: not-needed +Applied-Upstream: 5.76.1, commit:4b4ca3bb +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-05-29 + +--- a/lib/dependencies/ImportParserPlugin.js ++++ b/lib/dependencies/ImportParserPlugin.js +@@ -137,7 +137,7 @@ + if (importOptions.webpackInclude !== undefined) { + if ( + !importOptions.webpackInclude || +- importOptions.webpackInclude.constructor.name !== "RegExp" ++ !(importOptions.webpackInclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -146,13 +146,13 @@ + ) + ); + } else { +- include = new RegExp(importOptions.webpackInclude); ++ include = importOptions.webpackInclude; + } + } + if (importOptions.webpackExclude !== undefined) { + if ( + !importOptions.webpackExclude || +- importOptions.webpackExclude.constructor.name !== "RegExp" ++ !(importOptions.webpackExclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -161,7 +161,7 @@ + ) + ); + } else { +- exclude = new RegExp(importOptions.webpackExclude); ++ exclude = importOptions.webpackExclude; + } + } + if (importOptions.webpackExports !== undefined) { +--- a/lib/javascript/JavascriptParser.js ++++ b/lib/javascript/JavascriptParser.js +@@ -3635,17 +3635,27 @@ + return EMPTY_COMMENT_OPTIONS; + } + let options = {}; ++ /** @type {unknown[]} */ + let errors = []; + for (const comment of comments) { + const { value } = comment; + if (value && webpackCommentRegExp.test(value)) { + // try compile only if webpack options comment is present + try { +- const val = vm.runInNewContext(`(function(){return {${value}};})()`); +- Object.assign(options, val); ++ for (let [key, val] of Object.entries( ++ vm.runInNewContext(`(function(){return {${value}};})()`) ++ )) { ++ if (typeof val === "object" && val !== null) { ++ if (val.constructor.name === "RegExp") val = new RegExp(val); ++ else val = JSON.parse(JSON.stringify(val)); ++ } ++ options[key] = val; ++ } + } catch (e) { +- e.comment = comment; +- errors.push(e); ++ const newErr = new Error(String(e.message)); ++ newErr.stack = String(e.stack); ++ Object.assign(newErr, { comment }); ++ errors.push(newErr); + } + } + } diff --git a/debian/patches/series b/debian/patches/series index 16f26f45..dd57ffb6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ webpack-cli-path.patch terser-webpack-plugin.patch fix-for-jest-29.patch fix-tsconfig.patch +CVE-2023-28154.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
