Hi, I don't know if you want to DSA this bug. Anyway here is the patch.
Cheers, Xavier https://bugs.debian.org/941354 https://security-tracker.debian.org/tracker/CVE-2019-5448
diff --git a/debian/changelog b/debian/changelog index 01fe7d70d..464a7c745 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-yarnpkg (1.13.0-1+deb10u1) buster-security; urgency=medium + + * Team upload + * Add patch to force using https for the regular registries (Closes: #941354, CVE-2019-5448) + + -- Xavier Guimard <y...@debian.org> Thu, 03 Oct 2019 18:23:54 +0200 + node-yarnpkg (1.13.0-1) unstable; urgency=low * Initial release (Closes: #843021) diff --git a/debian/patches/CVE-2019-5448.diff b/debian/patches/CVE-2019-5448.diff new file mode 100644 index 000000000..8bb7442c8 --- /dev/null +++ b/debian/patches/CVE-2019-5448.diff @@ -0,0 +1,75 @@ +Description: Forces using https for the regular registries +Author: Maƫl Nison <https://github.com/arcanis> +Origin: upstream, https://github.com/yarnpkg/yarn/commit/2f08a740 +Bug: https://hackerone.com/reports/640904 +Bug-Debian: https://bugs.debian.org/941354 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-10-03 + +--- a/__tests__/registries/npm-registry.js ++++ b/__tests__/registries/npm-registry.js +@@ -750,6 +750,30 @@ + + expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual('https://my.registry.co/registry/foo/bar/baz'); + }); ++ ++ for (const host of [`registry.yarnpkg.com`, `registry.npmjs.org`, `registry.npmjs.com`]) { ++ test(`enforces loading packages through https when they come from ${host}`, () => { ++ const testCwd = '.'; ++ const {mockRequestManager, mockRegistries, mockReporter} = createMocks(); ++ const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []); ++ const registry = `http://${host}/registry`; ++ const pathname = 'foo/bar/baz'; ++ ++ expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(`https://${host}/registry/foo/bar/baz`); ++ }); ++ } ++ ++ test("doesn't change the protocol for packages from other registries", () => { ++ const testCwd = '.'; ++ const {mockRequestManager, mockRegistries, mockReporter} = createMocks(); ++ const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []); ++ const registry = 'http://registry.mylittlepony.org/registry'; ++ const pathname = 'foo/bar/baz'; ++ ++ expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual( ++ 'http://registry.mylittlepony.org/registry/foo/bar/baz', ++ ); ++ }); + }); + + describe('getScope functional test', () => { +--- a/src/registries/npm-registry.js ++++ b/src/registries/npm-registry.js +@@ -22,6 +22,7 @@ + import ini from 'ini'; + + const DEFAULT_REGISTRY = 'https://registry.npmjs.org/'; ++const REGEX_REGISTRY_ENFORCED_HTTPS = /^https?:\/\/([^\/]+\.)?(yarnpkg\.com|npmjs\.(org|com))(\/|$)/; + const REGEX_REGISTRY_HTTP_PROTOCOL = /^https?:/i; + const REGEX_REGISTRY_PREFIX = /^(https?:)?\/\//i; + const REGEX_REGISTRY_SUFFIX = /registry\/?$/; +@@ -112,13 +113,17 @@ + } + + getRequestUrl(registry: string, pathname: string): string { +- const isUrl = REGEX_REGISTRY_PREFIX.test(pathname); ++ let resolved = pathname; + +- if (isUrl) { +- return pathname; +- } else { +- return url.resolve(addSuffix(registry, '/'), pathname); ++ if (!REGEX_REGISTRY_PREFIX.test(pathname)) { ++ resolved = url.resolve(addSuffix(registry, '/'), pathname); + } ++ ++ if (REGEX_REGISTRY_ENFORCED_HTTPS.test(resolved)) { ++ resolved = resolved.replace(/^http:\/\//, 'https://'); ++ } ++ ++ return resolved; + } + + isRequestToRegistry(requestUrl: string, registryUrl: string): boolean { diff --git a/debian/patches/series b/debian/patches/series index f3c856f99..7c03222a8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ 08-cli-table3.diff 09-buffer_from.diff 10-babel-plugin-inline-import.diff +CVE-2019-5448.diff