[Pkg-javascript-devel] Bug#1079144: bullseye-pu: package gettext.js/0.7.0-2+deb11u1

Yadd yadd at debian.org
Tue Aug 20 14:31:44 BST 2024 

Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: gettext.js at packages.debian.org, yadd at debian.org
Control: affects -1 + src:gettext.js
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
gettext is vulnerable to a SSRF issue (#1078880, CVE-2024-43370)

[ Impact ]
Medium security issue

[ Tests ]
Test passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Improve regex test

Best regards,
Xavier
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 1cd30f8..5e44abe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gettext.js (0.7.0-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix SSRF issue (Closes: #1078880, CVE-2024-43370)
+
+ -- Yadd <yadd at debian.org>  Tue, 20 Aug 2024 17:26:52 +0400
+
 gettext.js (0.7.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2024-43370.patch b/debian/patches/CVE-2024-43370.patch
new file mode 100644
index 0000000..84a3004
--- /dev/null
+++ b/debian/patches/CVE-2024-43370.patch
@@ -0,0 +1,36 @@
+Description: Fix valid plural regex check
+Author: Guillaume Potier <cobalt2760 at gmail.com>
+Origin: upstream, https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8
+Bug: https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
+Bug-Debian: https://bugs.debian.org/1078880
+Forwarded: not-needed
+Applied-Upstream: 2.0.3, commit:6e52e0f8
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2024-08-17
+
+--- a/dist/gettext.js
++++ b/dist/gettext.js
+@@ -57,7 +57,9 @@
+         // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
+         var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+');
+ 
+-        if (!pf_re.test(plural_form))
++        var match = plural_form.match(pf_re);
++
++        if (!match || match[0] !== plural_form)
+           throw new Error(strfmt('The plural form "%1" is not valid', plural_form));
+ 
+         // Careful here, this is a hidden eval() equivalent..
+--- a/lib/gettext.js
++++ b/lib/gettext.js
+@@ -74,7 +74,9 @@
+         // plural forms list available here http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
+         var pf_re = new RegExp('^\\s*nplurals\\s*=\\s*[0-9]+\\s*;\\s*plural\\s*=\\s*(?:\\s|[-\\?\\|&=!<>+*/%:;n0-9_\(\)])+');
+ 
+-        if (!pf_re.test(plural_form))
++        var match = plural_form.match(pf_re);
++
++        if (!match || match[0] !== plural_form)
+           throw new Error(strfmt('The plural form "%1" is not valid', plural_form));
+ 
+         // Careful here, this is a hidden eval() equivalent..
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ee0df62
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2024-43370.patch

More information about the Pkg-javascript-devel mailing list