Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack
[ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154) [ Impact ] Medium security issue [ Tests ] Sadly webpack has no test in Bullseye [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better isolation in distinct Node.js vm for each object to parse before setting keys in vulnerable object Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 4bbdc0d3..dcd60ee0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-webpack (4.43.0-6+deb11u1) bullseye; urgency=medium + + * Team upload + * Avoid cross-realm object access (Closes: #1032904, CVE-2023-28154) + + -- Yadd <y...@debian.org> Tue, 14 Mar 2023 07:43:57 +0400 + node-webpack (4.43.0-6) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch new file mode 100644 index 00000000..c239d37b --- /dev/null +++ b/debian/patches/CVE-2023-28154.patch @@ -0,0 +1,72 @@ +Description: avoid cross-realm object access +Author: Jack Works <jackwo...@protonmail.com> +Bug: https://security-tracker.debian.org/tracker/CVE-2023-28154 +Bug-Debian: https://bugs.debian.org/1032904 +Forwarded: not-needed +Applied-Upstream: 5.76.0, commit:4b4ca3bb +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-03-14 + +--- a/lib/Parser.js ++++ b/lib/Parser.js +@@ -2335,11 +2335,20 @@ + if (value && webpackCommentRegExp.test(value)) { + // try compile only if webpack options comment is present + try { +- const val = vm.runInNewContext(`(function(){return {${value}};})()`); +- Object.assign(options, val); ++ for (let [key, val] of Object.entries( ++ vm.runInNewContext(`(function(){return {${value}};})()`) ++ )) { ++ if (typeof val === "object" && val !== null) { ++ if (val.constructor.name === "RegExp") val = new RegExp(val); ++ else val = JSON.parse(JSON.stringify(val)); ++ } ++ options[key] = val; ++ } + } catch (e) { +- e.comment = comment; +- errors.push(e); ++ const newErr = new Error(String(e.message)); ++ newErr.stack = String(e.stack); ++ Object.assign(newErr, { comment }); ++ errors.push(newErr); + } + } + } +--- a/lib/dependencies/ImportParserPlugin.js ++++ b/lib/dependencies/ImportParserPlugin.js +@@ -127,7 +127,7 @@ + if (importOptions.webpackInclude !== undefined) { + if ( + !importOptions.webpackInclude || +- importOptions.webpackInclude.constructor.name !== "RegExp" ++ !(importOptions.webpackInclude instanceof RegExp) + ) { + parser.state.module.warnings.push( + new UnsupportedFeatureWarning( +@@ -137,13 +137,13 @@ + ) + ); + } else { +- include = new RegExp(importOptions.webpackInclude); ++ include = importOptions.webpackInclude; + } + } + if (importOptions.webpackExclude !== undefined) { + if ( + !importOptions.webpackExclude || +- importOptions.webpackExclude.constructor.name !== "RegExp" ++ !(importOptions.webpackExclude instanceof RegExp) + ) { + parser.state.module.warnings.push( + new UnsupportedFeatureWarning( +@@ -153,7 +153,7 @@ + ) + ); + } else { +- exclude = new RegExp(importOptions.webpackExclude); ++ exclude = importOptions.webpackExclude; + } + } + } diff --git a/debian/patches/series b/debian/patches/series index 9701d29d..2840a18d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ use-uglifyjs-plugin.patch fix-for-mkdirp.diff fix-for-schema-utils-3.diff +CVE-2023-28154.patch
