[Pkg-javascript-devel] Bug#1036976: bullseye-pu: package grunt/1.3.0-1+deb11u2

Wed May 31 12:03:09 BST 2023

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: grunt at packages.debian.org
Control: affects -1 + src:grunt

[ Reason ]
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition
leading to arbitrary file write in GitHub repository gruntjs/grunt prior to
1.5.3. This vulnerability is capable of arbitrary file writes which can lead
to local privilege escalation to the GruntJS user if a lower-privileged user
has write access to both source and destination directories as the
lower-privileged user can create a symlink to the GruntJS user's .bashrc
file or replace /etc/shadow file if the GruntJS user is root.

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk: patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Refuse to copy a file if destination is a symlink

Cheers,
Yadd
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 23c3145..dcebea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Patch up race condition in symlink copying (Closes: CVE-2022-1537)
+
+ -- Yadd <yadd at debian.org>  Wed, 31 May 2023 14:59:30 +0400
+
 grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-1537.patch b/debian/patches/CVE-2022-1537.patch
new file mode 100644
index 0000000..19c750b
--- /dev/null
+++ b/debian/patches/CVE-2022-1537.patch
@@ -0,0 +1,39 @@
+Description: Patch up race condition in symlink copying
+Author: Vlad Filippov <vlad.filippov at gmail.com>
+Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa
+Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
+Forwarded: not-needed
+Applied-Upstream: 1.5.3, commit:58016ffa
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-05-31
+
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -333,8 +333,8 @@
+     }
+   }
+   // Abort copy if the process function returns false.
+-  if (contents === false) {
+-    grunt.verbose.writeln('Write aborted.');
++  if (contents === false || file.isLink(destpath)) {
++    grunt.verbose.writeln('Write aborted. Either the process function returned false or the destination is a symlink');
+   } else {
+     file.write(destpath, contents, readWriteOptions);
+   }
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -916,5 +916,13 @@
+       test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink());
+       test.done();
+     },
+-  }
++  },
++  'symbolicLinkDestError': function(test) {
++    test.expect(1);
++    var tmpfile = new Tempdir();
++    fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png'), 'file');
++    grunt.file.copy(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png'));
++    test.ok(fs.lstatSync(path.join(tmpfile.path, 'octocat.png')).isSymbolicLink());
++    test.done();
++  },
+ };
diff --git a/debian/patches/series b/debian/patches/series
index 24fd9f9..6231471 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ add-root-variable.patch
 fix-for-coffescript.diff
 adapt-gruntfile.patch
 CVE-2022-0436.patch
+CVE-2022-1537.patch
