[Pkg-javascript-devel] Bug#1129093: Bug#1129093: node-proxy-agents: CVE-2026-27699
Xavier
yadd at debian.org
Fri Feb 27 07:01:56 GMT 2026
Hi,
here is the patch for Trixie (unstable fixed)
Le 26/02/2026 à 22:39, Salvatore Bonaccorso a écrit :
> Source: node-proxy-agents
> Version: 0~2025070717-6
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for node-proxy-agents.
>
> CVE-2026-27699[0]:
> | The `basic-ftp` FTP client library for Node.js contains a path
> | traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the
> | `downloadToDir()` method. A malicious FTP server can send directory
> | listings with filenames containing path traversal sequences (`../`)
> | that cause files to be written outside the intended download
> | directory. Version 5.2.0 patches the issue.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2026-27699
> https://www.cve.org/CVERecord?id=CVE-2026-27699
> [1] https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
> [2] https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 80e675c..cdf1cc2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-proxy-agents (0~2024040606-6+deb13u1) trixie-security; urgency=medium
+
+ * Team upload
+ * Fix basic-ftp traversal vulnerability (Closes: #1129093, CVE-2026-27699)
+
+ -- Yadd <yadd at debian.org> Fri, 27 Feb 2026 07:58:26 +0100
+
node-proxy-agents (0~2024040606-6) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2026-27699.patch b/debian/patches/CVE-2026-27699.patch
new file mode 100644
index 0000000..9b7d881
--- /dev/null
+++ b/debian/patches/CVE-2026-27699.patch
@@ -0,0 +1,32 @@
+From: Patrick Juchli <patrickjuchli at gmail.com>
+Date: feb., 23 2026 09:01:12 +0100
+Subject: [PATCH] Skip invalid filenames
+Origin: upstream, https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e65
+Bug: https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
+Bug-Debian: https://bugs.debian.org/1129093
+Forwarded: not-needed
+Applied-Upstream: 5.2.0, commit:2a2a0e65
+Reviewed-By: Yadd <yadd at debian.org>
+
+--- a/basic-ftp/src/Client.ts
++++ b/basic-ftp/src/Client.ts
+@@ -1,5 +1,5 @@
+ import { createReadStream, createWriteStream, mkdir, readdir, stat, open, close, unlink } from "fs"
+-import { join } from "path"
++import { basename, join } from "path"
+ import { Readable, Writable } from "stream"
+ import { connect as connectTLS, ConnectionOptions as TLSConnectionOptions } from "tls"
+ import { promisify } from "util"
+@@ -694,6 +694,12 @@
+ protected async _downloadFromWorkingDir(localDirPath: string): Promise<void> {
+ await ensureLocalDirectory(localDirPath)
+ for (const file of await this.list()) {
++ const hasInvalidName = !file.name || basename(file.name) !== file.name
++ if (hasInvalidName) {
++ const safeName = JSON.stringify(file.name)
++ this.ftp.log(`Invalid filename from server listing, will skip file. (${safeName})`)
++ continue
++ }
+ const localPath = join(localDirPath, file.name)
+ if (file.isDirectory) {
+ await this.cd(file.name)
diff --git a/debian/patches/series b/debian/patches/series
index a1ce508..11cd8b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ use-quickjs-emscripten.patch
tsc-workaround.patch
0004-Use-modern-lru-cache.patch
0005-get-uri-compilation.patch
+CVE-2026-27699.patch
More information about the Pkg-javascript-devel
mailing list