Hi, here is a simple patch for this issue
Best regards, Xavier On 8/17/24 16:34, Salvatore Bonaccorso wrote:
Source: gettext.js Version: 0.7.0-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for gettext.js. CVE-2024-43370[0]: | gettext.js is a GNU gettext port for node and the browser. There is | a cross-site scripting (XSS) injection if `.po` dictionary | definition files are corrupted. This vulnerability has been patched | in version 2.0.3. As a workaround, control the origin of the | definition catalog to prevent the use of this flaw in the definition | of plural forms. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43370 https://www.cve.org/CVERecord?id=CVE-2024-43370 [1] https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg [2] https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c Regards, Salvatore
diff --git a/debian/changelog b/debian/changelog index 940e493..ce3e02c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +gettext.js (0.7.0-3+deb12u1) bookworm-security; urgency=medium + + * Team upload + * Fix SSRF issue (Closes: #1078880, CVE-2024-43370) + + -- Yadd <y...@debian.org> Sat, 17 Aug 2024 18:58:13 +0400 + gettext.js (0.7.0-3) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2024-43370.patch b/debian/patches/CVE-2024-43370.patch new file mode 100644 index 0000000..84a3004 --- /dev/null +++ b/debian/patches/CVE-2024-43370.patch @@ -0,0 +1,36 @@ +Description: Fix valid plural regex check +Author: Guillaume Potier <cobalt2...@gmail.com> +Origin: upstream, https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8 +Bug: https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg +Bug-Debian: https://bugs.debian.org/1078880 +Forwarded: not-needed +Applied-Upstream: 2.0.3, commit:6e52e0f8 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-08-17 + +--- a/dist/gettext.js ++++ b/dist/gettext.js +@@ -57,7 +57,9 @@ + // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html + var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+'); + +- if (!pf_re.test(plural_form)) ++ var match = plural_form.match(pf_re); ++ ++ if (!match || match[0] !== plural_form) + throw new Error(strfmt('The plural form "%1" is not valid', plural_form)); + + // Careful here, this is a hidden eval() equivalent.. +--- a/lib/gettext.js ++++ b/lib/gettext.js +@@ -74,7 +74,9 @@ + // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html + var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+'); + +- if (!pf_re.test(plural_form)) ++ var match = plural_form.match(pf_re); ++ ++ if (!match || match[0] !== plural_form) + throw new Error(strfmt('The plural form "%1" is not valid', plural_form)); + + // Careful here, this is a hidden eval() equivalent.. diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..ee0df62 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2024-43370.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
