[Pkg-javascript-devel] Bug#1032921: bullseye-pu: package node-webpack/4.43.0-6+deb11u1
Yadd
yadd at debian.org
Tue Mar 14 04:01:38 GMT 2023
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-webpack at packages.debian.org
Control: affects -1 + src:node-webpack
[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154)
[ Impact ]
Medium security issue
[ Tests ]
Sadly webpack has no test in Bullseye
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better isolation in distinct Node.js vm for each object to parse before
setting keys in vulnerable object
Cheers,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 4bbdc0d3..dcd60ee0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (4.43.0-6+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Avoid cross-realm object access (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd <yadd at debian.org> Tue, 14 Mar 2023 07:43:57 +0400
+
node-webpack (4.43.0-6) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index 00000000..c239d37b
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,72 @@
+Description: avoid cross-realm object access
+Author: Jack Works <jackworks at protonmail.com>
+Bug: https://security-tracker.debian.org/tracker/CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.0, commit:4b4ca3bb
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-03-14
+
+--- a/lib/Parser.js
++++ b/lib/Parser.js
+@@ -2335,11 +2335,20 @@
+ if (value && webpackCommentRegExp.test(value)) {
+ // try compile only if webpack options comment is present
+ try {
+- const val = vm.runInNewContext(`(function(){return {${value}};})()`);
+- Object.assign(options, val);
++ for (let [key, val] of Object.entries(
++ vm.runInNewContext(`(function(){return {${value}};})()`)
++ )) {
++ if (typeof val === "object" && val !== null) {
++ if (val.constructor.name === "RegExp") val = new RegExp(val);
++ else val = JSON.parse(JSON.stringify(val));
++ }
++ options[key] = val;
++ }
+ } catch (e) {
+- e.comment = comment;
+- errors.push(e);
++ const newErr = new Error(String(e.message));
++ newErr.stack = String(e.stack);
++ Object.assign(newErr, { comment });
++ errors.push(newErr);
+ }
+ }
+ }
+--- a/lib/dependencies/ImportParserPlugin.js
++++ b/lib/dependencies/ImportParserPlugin.js
+@@ -127,7 +127,7 @@
+ if (importOptions.webpackInclude !== undefined) {
+ if (
+ !importOptions.webpackInclude ||
+- importOptions.webpackInclude.constructor.name !== "RegExp"
++ !(importOptions.webpackInclude instanceof RegExp)
+ ) {
+ parser.state.module.warnings.push(
+ new UnsupportedFeatureWarning(
+@@ -137,13 +137,13 @@
+ )
+ );
+ } else {
+- include = new RegExp(importOptions.webpackInclude);
++ include = importOptions.webpackInclude;
+ }
+ }
+ if (importOptions.webpackExclude !== undefined) {
+ if (
+ !importOptions.webpackExclude ||
+- importOptions.webpackExclude.constructor.name !== "RegExp"
++ !(importOptions.webpackExclude instanceof RegExp)
+ ) {
+ parser.state.module.warnings.push(
+ new UnsupportedFeatureWarning(
+@@ -153,7 +153,7 @@
+ )
+ );
+ } else {
+- exclude = new RegExp(importOptions.webpackExclude);
++ exclude = importOptions.webpackExclude;
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 9701d29d..2840a18d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
use-uglifyjs-plugin.patch
fix-for-mkdirp.diff
fix-for-schema-utils-3.diff
+CVE-2023-28154.patch
More information about the Pkg-javascript-devel
mailing list