[Pkg-javascript-devel] Bug#1035625: unblock: node-yaml/2.1.3-2
Yadd
yadd at debian.org
Sat May 6 21:22:52 BST 2023
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-yaml at packages.debian.org
Control: affects -1 + src:node-yaml
Please unblock package node-yaml
[ Reason ]
node-yaml is vulnerable to Denial-of-Service (#1035580, CVE-2023-2251)
[ Impact ]
Medium security issue
[ Tests ]
New tests added:
- by upstream in the CVE-2023-2251.patch file
- by myself in autopkgtest using code provided to prove the issue
You can verify using
https://salsa.debian.org/js-team/node-yaml/-/pipelines that the CVE is
fixed by this patch.
[ Risks ]
Low risk, patch is trivial (just fix line characters count)
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Others ]
This debdiff includes also:
* little things from lintian-brush
* a little test paths fix because test failed on platforms where the
"debian" word was in the build root path (especially salsa)
Cheers,
Yadd
unblock node-yaml/2.1.3-2
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 3265e73..5d44f16 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-yaml (2.1.3-2) unstable; urgency=medium
+
+ * Team upload
+ * Update lintian override info format in
+ d/source/lintian-overrides on line 2-7
+ * Update standards version to 4.6.2, no changes needed
+ * Fix corner case failure in error pretty-printer
+ (Closes: #1035580, CVE-2023-2251)
+
+ -- Yadd <yadd at debian.org> Sun, 07 May 2023 00:10:19 +0400
+
node-yaml (2.1.3-1) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 0a7fe7e..e221de8 100644
--- a/debian/control
+++ b/debian/control
@@ -15,7 +15,7 @@ Build-Depends:
, node-tslib <!nocheck>
, node-typescript <!nocheck>
, rollup
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
Homepage: https://eemeli.org/yaml/
Vcs-Git: https://salsa.debian.org/js-team/node-yaml.git
Vcs-Browser: https://salsa.debian.org/js-team/node-yaml
diff --git a/debian/patches/CVE-2023-2251.patch b/debian/patches/CVE-2023-2251.patch
new file mode 100644
index 0000000..0d8b1d4
--- /dev/null
+++ b/debian/patches/CVE-2023-2251.patch
@@ -0,0 +1,36 @@
+Description: fix: Corner case failure in error pretty-printer
+Author: Eemeli Aro <eemeli at gmail.com>
+Origin: upstream, https://github.com/eemeli/yaml/commit/984f5781
+Bug: https://github.com/advisories/GHSA-f9xv-q969-pqx4
+Bug-Debian: https://bugs.debian.org/1035580
+Forwarded: not-needed
+Applied-Upstream: 2.2.2, commit:984f5781
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-05-06
+
+--- a/src/errors.ts
++++ b/src/errors.ts
+@@ -91,7 +91,7 @@
+ let count = 1
+ const end = error.linePos[1]
+ if (end && end.line === line && end.col > col) {
+- count = Math.min(end.col - col, 80 - ci)
++ count = Math.max(1, Math.min(end.col - col, 80 - ci))
+ }
+ const pointer = ' '.repeat(ci) + '^'.repeat(count)
+ error.message += `:\n\n${lineStr}\n${pointer}\n`
+--- a/tests/doc/errors.js
++++ b/tests/doc/errors.js
+@@ -341,6 +341,12 @@
+ const doc = YAML.parseDocument(src, { prettyErrors: true })
+ expect(doc.warnings).toMatchObject([{ name: 'YAMLWarning' }])
+ })
++
++ test('repeated CR', () => {
++ const src = '[' + '\r'.repeat(80)
++ const doc = YAML.parseDocument(src, { prettyErrors: true })
++ expect(doc.errors[0]).not.toHaveProperty('source')
++ })
+ })
+
+ describe('tags on invalid nodes', () => {
diff --git a/debian/patches/series b/debian/patches/series
index 053c2da..e2d7781 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
fix-test.patch
fix-for-rollup-3.patch
+CVE-2023-2251.patch
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 7c118d4..b78412d 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,10 +1,10 @@
# False positive: test data
-source-is-missing *tests/doc/YAML-1.2.spec.js*
-source-is-missing *tests/doc/foldFlowLines.js*
-source-contains-prebuilt-javascript-object *tests/doc/YAML-1.2.spec.js*
-source-contains-prebuilt-javascript-object *tests/doc/foldFlowLines.js*
-source-is-missing *debian/tests/test_modules/*
-source-contains-prebuilt-javascript-object *debian/tests/test_modules/*
+source-is-missing [*tests/doc/YAML-1.2.spec.js*]
+source-is-missing [*tests/doc/foldFlowLines.js*]
+source-contains-prebuilt-javascript-object [*tests/doc/YAML-1.2.spec.js*]
+source-contains-prebuilt-javascript-object [*tests/doc/foldFlowLines.js*]
+source-is-missing [*debian/tests/test_modules/*]
+source-contains-prebuilt-javascript-object [*debian/tests/test_modules/*]
very-long-line-length-in-source-file *tests/doc/YAML-1.2.spec.js*
very-long-line-length-in-source-file *tests/doc/foldFlowLines.js*
very-long-line-length-in-source-file *debian/tests/test_modules/*
diff --git a/debian/tests/CVE-2023-2251 b/debian/tests/CVE-2023-2251
new file mode 100755
index 0000000..819869e
--- /dev/null
+++ b/debian/tests/CVE-2023-2251
@@ -0,0 +1,6 @@
+#!/usr/bin/node
+
+process.chdir('/');
+const yaml = require("/usr/share/nodejs/yaml");
+const string = "[" + "\r".repeat(80);
+yaml.parseDocument(string);
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..34bba78
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: CVE-2023-2251
+Depends: @, nodejs
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
index 8d2da7d..6bd4f1a 100644
--- a/debian/tests/pkg-js/test
+++ b/debian/tests/pkg-js/test
@@ -1,5 +1,5 @@
# Test
-jest --config config/jest.config.js --ci --testPathIgnorePatterns tests/yaml-test-suite.ts tests/_utils.ts tests/json-test-suite.ts .pc/ debian/
+jest --config config/jest.config.js --ci --testPathIgnorePatterns tests/yaml-test-suite.ts tests/_utils.ts tests/json-test-suite.ts .pc/ debian/tests/
# Types test
tsc --allowJs --moduleResolution node --noEmit --target es5 dist/index.js
More information about the Pkg-javascript-devel
mailing list