[Pkg-javascript-devel] Bug#1040683: bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1

Yadd yadd at debian.org
Sun Jul 9 08:58:06 BST 2023 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-webpack at packages.debian.org
Control: affects -1 + src:node-webpack

[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Regards,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd <yadd at debian.org>  Mon, 29 May 2023 07:53:16 +0400
+
 node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index 00000000..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works <jackworks at protonmail.com>
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
++++ b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+ 				if (importOptions.webpackInclude !== undefined) {
+ 					if (
+ 						!importOptions.webpackInclude ||
+-						importOptions.webpackInclude.constructor.name !== "RegExp"
++						!(importOptions.webpackInclude instanceof RegExp)
+ 					) {
+ 						parser.state.module.addWarning(
+ 							new UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+ 							)
+ 						);
+ 					} else {
+-						include = new RegExp(importOptions.webpackInclude);
++						include = importOptions.webpackInclude;
+ 					}
+ 				}
+ 				if (importOptions.webpackExclude !== undefined) {
+ 					if (
+ 						!importOptions.webpackExclude ||
+-						importOptions.webpackExclude.constructor.name !== "RegExp"
++						!(importOptions.webpackExclude instanceof RegExp)
+ 					) {
+ 						parser.state.module.addWarning(
+ 							new UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+ 							)
+ 						);
+ 					} else {
+-						exclude = new RegExp(importOptions.webpackExclude);
++						exclude = importOptions.webpackExclude;
+ 					}
+ 				}
+ 				if (importOptions.webpackExports !== undefined) {
+--- a/lib/javascript/JavascriptParser.js
++++ b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+ 			return EMPTY_COMMENT_OPTIONS;
+ 		}
+ 		let options = {};
++		/** @type {unknown[]} */
+ 		let errors = [];
+ 		for (const comment of comments) {
+ 			const { value } = comment;
+ 			if (value && webpackCommentRegExp.test(value)) {
+ 				// try compile only if webpack options comment is present
+ 				try {
+-					const val = vm.runInNewContext(`(function(){return {${value}};})()`);
+-					Object.assign(options, val);
++					for (let [key, val] of Object.entries(
++						vm.runInNewContext(`(function(){return {${value}};})()`)
++					)) {
++						if (typeof val === "object" && val !== null) {
++							if (val.constructor.name === "RegExp") val = new RegExp(val);
++							else val = JSON.parse(JSON.stringify(val));
++						}
++						options[key] = val;
++					}
+ 				} catch (e) {
+-					e.comment = comment;
+-					errors.push(e);
++					const newErr = new Error(String(e.message));
++					newErr.stack = String(e.stack);
++					Object.assign(newErr, { comment });
++					errors.push(newErr);
+ 				}
+ 			}
+ 		}
diff --git a/debian/patches/series b/debian/patches/series
index 16f26f45..dd57ffb6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@ webpack-cli-path.patch
 terser-webpack-plugin.patch
 fix-for-jest-29.patch
 fix-tsconfig.patch
+CVE-2023-28154.patch

More information about the Pkg-javascript-devel mailing list