[Pkg-javascript-devel] Bug#1078880: Bug#1078880: gettext.js: CVE-2024-43370
Yadd
yadd at debian.org
Sat Aug 17 16:01:04 BST 2024
Hi,
here is a simple patch for this issue
Best regards,
Xavier
On 8/17/24 16:34, Salvatore Bonaccorso wrote:
> Source: gettext.js
> Version: 0.7.0-3
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for gettext.js.
>
> CVE-2024-43370[0]:
> | gettext.js is a GNU gettext port for node and the browser. There is
> | a cross-site scripting (XSS) injection if `.po` dictionary
> | definition files are corrupted. This vulnerability has been patched
> | in version 2.0.3. As a workaround, control the origin of the
> | definition catalog to prevent the use of this flaw in the definition
> | of plural forms.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-43370
> https://www.cve.org/CVERecord?id=CVE-2024-43370
> [1] https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
> [2] https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c
>
> Regards,
> Salvatore
>
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 940e493..ce3e02c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gettext.js (0.7.0-3+deb12u1) bookworm-security; urgency=medium
+
+ * Team upload
+ * Fix SSRF issue (Closes: #1078880, CVE-2024-43370)
+
+ -- Yadd <yadd at debian.org> Sat, 17 Aug 2024 18:58:13 +0400
+
gettext.js (0.7.0-3) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/patches/CVE-2024-43370.patch b/debian/patches/CVE-2024-43370.patch
new file mode 100644
index 0000000..84a3004
--- /dev/null
+++ b/debian/patches/CVE-2024-43370.patch
@@ -0,0 +1,36 @@
+Description: Fix valid plural regex check
+Author: Guillaume Potier <cobalt2760 at gmail.com>
+Origin: upstream, https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8
+Bug: https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
+Bug-Debian: https://bugs.debian.org/1078880
+Forwarded: not-needed
+Applied-Upstream: 2.0.3, commit:6e52e0f8
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-08-17
+
+--- a/dist/gettext.js
++++ b/dist/gettext.js
+@@ -57,7 +57,9 @@
+ // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
+ var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+');
+
+- if (!pf_re.test(plural_form))
++ var match = plural_form.match(pf_re);
++
++ if (!match || match[0] !== plural_form)
+ throw new Error(strfmt('The plural form "%1" is not valid', plural_form));
+
+ // Careful here, this is a hidden eval() equivalent..
+--- a/lib/gettext.js
++++ b/lib/gettext.js
+@@ -74,7 +74,9 @@
+ // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
+ var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+');
+
+- if (!pf_re.test(plural_form))
++ var match = plural_form.match(pf_re);
++
++ if (!match || match[0] !== plural_form)
+ throw new Error(strfmt('The plural form "%1" is not valid', plural_form));
+
+ // Careful here, this is a hidden eval() equivalent..
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ee0df62
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2024-43370.patch
More information about the Pkg-javascript-devel
mailing list