[Pkg-javascript-devel] Bug#986171: underscore: CVE-2021-23358

Yadd yadd at debian.org
Tue Mar 30 22:00:00 BST 2021 

Le 30/03/2021 à 21:40, Salvatore Bonaccorso a écrit :
> Source: underscore
> Version: 1.9.1~dfsg-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>,yadd at debian.org
> 
> Hi,
> 
> The following vulnerability was published for underscore.
> 
> CVE-2021-23358[0]:
> | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
> | and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
> | template function, particularly when a variable property is passed as
> | an argument as it is not sanitized.
> 
> [1] provides a POC to verify the issue.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-23358
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
> [1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
> 
> Regards,
> Salvatore

Hi,

here is a debdiff for buster including:
 * backport of upstream patch
 * autopkgtest file (tested)

Cheers,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 02cd807..eb9fd68 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+underscore (1.9.1~dfsg-1+deb10u1) buster-security; urgency=high
+
+  * Team upload
+  * Fix arbitrary code execution (Closes: #986171)
+
+ -- Yadd <yadd at debian.org>  Tue, 30 Mar 2021 22:54:09 +0200
+
 underscore (1.9.1~dfsg-1) unstable; urgency=medium
 
   [ upstream ]
diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 0000000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp <dev at juliangonggrijp.com>
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2021-03-30
+
+--- a/underscore.js
++++ b/underscore.js
+@@ -1550,6 +1550,13 @@
+     return '\\' + escapes[match];
+   };
+ 
++  // In order to prevent third-party code injection through
++  // `_.templateSettings.variable`, we test it against the following regular
++  // expression. It is intentionally a bit more liberal than just matching valid
++  // identifiers, but still prevents possible loopholes through defaults or
++  // destructuring assignment.
++  var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+   // JavaScript micro-templating, similar to John Resig's implementation.
+   // Underscore templating handles arbitrary delimiters, preserves whitespace,
+   // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+     });
+     source += "';\n";
+ 
+-    // If a variable is not specified, place data values in local scope.
+-    if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++    var argument = settings.variable;
++    if (argument) {
++      // Insure against third-party code injection.
++      if (!bareIdentifier.test(argument)) throw new Error(
++        'variable is not a bare identifier: ' + argument
++      );
++    } else {
++      // If a variable is not specified, place data values in local scope.
++      source = 'with(obj||{}){\n' + source + '}\n';
++      argument = 'obj';
++    }
+ 
+     source = "var __t,__p='',__j=Array.prototype.join," +
+       "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+ 
+     var render;
+     try {
+-      render = new Function(settings.variable || 'obj', '_', source);
++      render = new Function(argument, '_', source);
+     } catch (e) {
+       e.source = source;
+       throw e;
+@@ -1605,7 +1621,6 @@
+     };
+ 
+     // Provide the compiled source as a convenience for precompilation.
+-    var argument = settings.variable || 'obj';
+     template.source = 'function(' + argument + '){\n' + source + '}';
+ 
+     return template;
diff --git a/debian/patches/series b/debian/patches/series
index da362d2..7ddac86 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 2001_docs_privacy.patch
+CVE-2021-23358.patch
diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358
new file mode 100755
index 0000000..a2ae590
--- /dev/null
+++ b/debian/tests/CVE-2021-23358
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if node debian/tests/CVE-2021-23358.js 2>/dev/null; then
+	rm -f HELLO
+	echo 'Vulnerable to CVE-2021-23358' >&2
+	exit 1
+else
+	echo
+	echo 'Not vulnerable to CVE-2021-23358'
+	exit 0
+fi
diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js
new file mode 100644
index 0000000..fad7c77
--- /dev/null
+++ b/debian/tests/CVE-2021-23358.js
@@ -0,0 +1,3 @@
+const _ = require('underscore');
+_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')";
+const t = _.template("")();
diff --git a/debian/tests/control b/debian/tests/control
index 7275831..868aa31 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1 +1,7 @@
 Test-Command: node -e "require('underscore');"
+Depends: @
+Restrictions: superficial
+
+Tests: CVE-2021-23358
+Depends: @
+Restrictions: superficial

More information about the Pkg-javascript-devel mailing list