[Pkg-javascript-devel] Bug#986175: unblock: underscore/1.9.1~dfsg-2

Tue Mar 30 21:49:43 BST 2021

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-devel at lists.alioth.debian.org

Please unblock package underscore

[ Reason ]
underscore is vulnerable to arbitrary code execution (#986171,
CVE-2021-23358)

[ Impact ]
CVE provided a PoC to prove arbitrary code execution

[ Tests ]
I added a test to prove that bug is fixed (based on PoC). Test fails
with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2

[ Risks ]
Patch is trivial. Note: I imported also Janitor changes: this breaks
nothing

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other ]
I downgrade autopkgtest to "superficial" since nothing was really tested
(just a node "require"). That's why I'm filing this ;-)

Regards,
Yadd

unblock underscore/1.9.1~dfsg-2
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 02cd807..fed9aa8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+underscore (1.9.1~dfsg-2) unstable; urgency=medium
+
+  * Team upload
+
+  [ Debian Janitor ]
+  * Bump debhelper dependency to >= 9, since that's what is used in
+    debian/compat.
+  * Bump debhelper from old 9 to 12.
+  * Set debhelper-compat version in Build-Depends.
+  * Set upstream metadata fields: Bug-Database, Repository, Repository-
+    Browse.
+  * Update standards version to 4.4.1, no changes needed.
+  * Set upstream metadata fields: Bug-Submit.
+  * Update standards version to 4.5.0, no changes needed.
+  * Apply multi-arch hints.
+    + node-underscore: Add Multi-Arch: foreign.
+
+  [ Yadd ]
+  * Mark autopkgtest as superficial
+  * Fix arbitrary code execution and add a test (Closes: #986171)
+
+ -- Yadd <yadd at debian.org>  Tue, 30 Mar 2021 22:40:59 +0200
+
 underscore (1.9.1~dfsg-1) unstable; urgency=medium
 
   [ upstream ]
diff --git a/debian/compat b/debian/compat
deleted file mode 100644
index ec63514..0000000
--- a/debian/compat
+++ /dev/null
@@ -1 +0,0 @@
-9
diff --git a/debian/control b/debian/control
index cb1e7e9..fc1d26b 100644
--- a/debian/control
+++ b/debian/control
@@ -7,11 +7,11 @@ Uploaders:
  David Paleino <dapal at debian.org>,
 Build-Depends:
  brotli,
- debhelper,
+ debhelper-compat (= 12),
  node-source-map,
  pigz,
  uglifyjs (>= 3),
-Standards-Version: 4.3.0
+Standards-Version: 4.5.0
 Homepage: https://underscorejs.org/
 Vcs-Browser: https://salsa.debian.org/js-team/underscore
 Vcs-Git: https://salsa.debian.org/js-team/underscore.git
@@ -44,6 +44,7 @@ Depends:
  libjs-underscore,
  nodejs,
  ${misc:Depends},
+Multi-Arch: foreign
 Description: JavaScript's functional programming helper library - NodeJS
  Underscore is a utility-belt library for JavaScript that provides a lot
  of the functional programming support that you would expect in
diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 0000000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp <dev at juliangonggrijp.com>
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2021-03-30
+
+--- a/underscore.js
++++ b/underscore.js
+@@ -1550,6 +1550,13 @@
+     return '\\' + escapes[match];
+   };
+ 
++  // In order to prevent third-party code injection through
++  // `_.templateSettings.variable`, we test it against the following regular
++  // expression. It is intentionally a bit more liberal than just matching valid
++  // identifiers, but still prevents possible loopholes through defaults or
++  // destructuring assignment.
++  var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+   // JavaScript micro-templating, similar to John Resig's implementation.
+   // Underscore templating handles arbitrary delimiters, preserves whitespace,
+   // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+     });
+     source += "';\n";
+ 
+-    // If a variable is not specified, place data values in local scope.
+-    if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++    var argument = settings.variable;
++    if (argument) {
++      // Insure against third-party code injection.
++      if (!bareIdentifier.test(argument)) throw new Error(
++        'variable is not a bare identifier: ' + argument
++      );
++    } else {
++      // If a variable is not specified, place data values in local scope.
++      source = 'with(obj||{}){\n' + source + '}\n';
++      argument = 'obj';
++    }
+ 
+     source = "var __t,__p='',__j=Array.prototype.join," +
+       "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+ 
+     var render;
+     try {
+-      render = new Function(settings.variable || 'obj', '_', source);
++      render = new Function(argument, '_', source);
+     } catch (e) {
+       e.source = source;
+       throw e;
+@@ -1605,7 +1621,6 @@
+     };
+ 
+     // Provide the compiled source as a convenience for precompilation.
+-    var argument = settings.variable || 'obj';
+     template.source = 'function(' + argument + '){\n' + source + '}';
+ 
+     return template;
diff --git a/debian/patches/series b/debian/patches/series
index da362d2..7ddac86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 2001_docs_privacy.patch
+CVE-2021-23358.patch
diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358
new file mode 100755
index 0000000..a2ae590
--- /dev/null
+++ b/debian/tests/CVE-2021-23358
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if node debian/tests/CVE-2021-23358.js 2>/dev/null; then
+	rm -f HELLO
+	echo 'Vulnerable to CVE-2021-23358' >&2
+	exit 1
+else
+	echo
+	echo 'Not vulnerable to CVE-2021-23358'
+	exit 0
+fi
diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js
new file mode 100644
index 0000000..fad7c77
--- /dev/null
+++ b/debian/tests/CVE-2021-23358.js
@@ -0,0 +1,3 @@
+const _ = require('underscore');
+_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
+const t = _.template("")();
diff --git a/debian/tests/control b/debian/tests/control
index 7275831..868aa31 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1 +1,7 @@
 Test-Command: node -e "require('underscore');"
+Depends: @
+Restrictions: superficial
+
+Tests: CVE-2021-23358
+Depends: @
+Restrictions: superficial
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..ae91ed7
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,4 @@
+Bug-Database: https://github.com/jashkenas/underscore/issues
+Repository: https://github.com/jashkenas/underscore.git
+Repository-Browse: https://github.com/jashkenas/underscore
+Bug-Submit: https://github.com/jashkenas/underscore/issues/new
