Package: release.debian.org Severity: normal Tags: bullseye X-Debbugs-Cc: gettext...@packages.debian.org, y...@debian.org Control: affects -1 + src:gettext.js User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] gettext is vulnerable to a SSRF issue (#1078880, CVE-2024-43370) [ Impact ] Medium security issue [ Tests ] Test passed [ Risks ] Low risk, patch is trivial [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Improve regex test Best regards, Xavier
diff --git a/debian/changelog b/debian/changelog index 1cd30f8..5e44abe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +gettext.js (0.7.0-2+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix SSRF issue (Closes: #1078880, CVE-2024-43370) + + -- Yadd <y...@debian.org> Tue, 20 Aug 2024 17:26:52 +0400 + gettext.js (0.7.0-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2024-43370.patch b/debian/patches/CVE-2024-43370.patch new file mode 100644 index 0000000..84a3004 --- /dev/null +++ b/debian/patches/CVE-2024-43370.patch @@ -0,0 +1,36 @@ +Description: Fix valid plural regex check +Author: Guillaume Potier <cobalt2...@gmail.com> +Origin: upstream, https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8 +Bug: https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg +Bug-Debian: https://bugs.debian.org/1078880 +Forwarded: not-needed +Applied-Upstream: 2.0.3, commit:6e52e0f8 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2024-08-17 + +--- a/dist/gettext.js ++++ b/dist/gettext.js +@@ -57,7 +57,9 @@ + // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html + var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+'); + +- if (!pf_re.test(plural_form)) ++ var match = plural_form.match(pf_re); ++ ++ if (!match || match[0] !== plural_form) + throw new Error(strfmt('The plural form "%1" is not valid', plural_form)); + + // Careful here, this is a hidden eval() equivalent.. +--- a/lib/gettext.js ++++ b/lib/gettext.js +@@ -74,7 +74,9 @@ + // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html + var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+'); + +- if (!pf_re.test(plural_form)) ++ var match = plural_form.match(pf_re); ++ ++ if (!match || match[0] !== plural_form) + throw new Error(strfmt('The plural form "%1" is not valid', plural_form)); + + // Careful here, this is a hidden eval() equivalent.. diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..ee0df62 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2024-43370.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
