Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-log4js creates log files with permissive rights (644). This causes a security issue (CVE-2022-21704) [ Impact ] Medium vulnerability [ Tests ] Test passed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace default mode from 0644 to 0600 Regards, Yadd
diff --git a/debian/changelog b/debian/changelog index 75dbfc2..00af70f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-log4js (6.3.0+~cs8.3.10-1+deb11u1) bullseye; urgency=medium + + * Changed default file modes from 0o644 to 0o600 for better security + (Closes: CVE-2022-21704) + + -- Yadd <y...@debian.org> Fri, 08 Jul 2022 07:44:46 +0200 + node-log4js (6.3.0+~cs8.3.10-1) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2022-21704.patch b/debian/patches/CVE-2022-21704.patch new file mode 100644 index 0000000..76f1757 --- /dev/null +++ b/debian/patches/CVE-2022-21704.patch @@ -0,0 +1,177 @@ +Description: Changed default file modes from 0o644 to 0o600 for better security +Author: peteriman <peteri...@mail.com> +Origin: upstream, https://patch-diff.githubusercontent.com/raw/log4js-node/log4js-node/pull/1141 + https://patch-diff.githubusercontent.com/raw/log4js-node/streamroller/pull/87 +Bug: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-07-08 + +--- a/docs/dateFile.md ++++ b/docs/dateFile.md +@@ -11,7 +11,7 @@ + + Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams): + * `encoding` - `string` (default "utf-8") +-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) ++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) + * `flags` - `string` (default 'a') + * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension) + * `alwaysIncludePattern` - `boolean` (default false) - include the pattern in the name of the current log file as well as the backups. +--- a/docs/file.md ++++ b/docs/file.md +@@ -12,7 +12,7 @@ + + Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams): + * `encoding` - `string` (default "utf-8") +-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) ++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) + * `flags` - `string` (default 'a') + * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension) + * `keepFileExt` - `boolean` (default false) - preserve the file extension when rotating log files (`file.log` becomes `file.1.log` instead of `file.log.1`) +--- a/docs/fileSync.md ++++ b/docs/fileSync.md +@@ -12,7 +12,7 @@ + + Any other configuration parameters will be passed to the underlying node.js core stream implementation: + * `encoding` - `string` (default "utf-8") +-* `mode`- `integer` (default 0644) ++* `mode`- `integer` (default 0600) + * `flags` - `string` (default 'a') + + ## Example +--- a/lib/appenders/dateFile.js ++++ b/lib/appenders/dateFile.js +@@ -49,7 +49,6 @@ + + function configure(config, layouts) { + let layout = layouts.basicLayout; +- + if (config.layout) { + layout = layouts.layout(config.layout.type, config.layout); + } +@@ -58,6 +57,9 @@ + config.alwaysIncludePattern = false; + } + ++ // security default (instead of relying on streamroller default) ++ config.mode = config.mode || 0o600; ++ + return appender( + config.filename, + config.pattern, +--- a/lib/appenders/file.js ++++ b/lib/appenders/file.js +@@ -94,6 +94,9 @@ + layout = layouts.layout(config.layout.type, config.layout); + } + ++ // security default (instead of relying on streamroller default) ++ config.mode = config.mode || 0o600; ++ + return fileAppender( + config.filename, + layout, +--- a/lib/appenders/fileSync.js ++++ b/lib/appenders/fileSync.js +@@ -192,7 +192,7 @@ + const options = { + flags: config.flags || 'a', + encoding: config.encoding || 'utf8', +- mode: config.mode || 0o644 ++ mode: config.mode || 0o600 + }; + + return fileAppender( +--- a/streamroller/README.md ++++ b/streamroller/README.md +@@ -20,7 +20,7 @@ + * `numBackups` - the number of old files to keep + * `options` - Object + * `encoding` - defaults to 'utf8' +- * `mode` - defaults to 0644 ++ * `mode` - defaults to 0600 + * `flags` - defaults to 'a' (see [fs.open](https://nodejs.org/dist/latest-v8.x/docs/api/fs.html#fs_fs_open_path_flags_mode_callback) for more details) + * `compress` - (boolean) defaults to `false` - compress the backup files using gzip (files will have `.gz` extension). + * `keepFileExt` - (boolean) defaults to `false` - keep the file original extension. e.g.: `abc.log -> abc.1.log`. +@@ -46,7 +46,7 @@ + * `pattern` (String) - the date pattern to trigger rolling (see below) + * `options` - Object + * `encoding` - defaults to 'utf8' +- * `mode` defaults to 0644 ++ * `mode` defaults to 0600 + * `flags` defaults to 'a' (see [fs.open](https://nodejs.org/dist/latest-v8.x/docs/api/fs.html#fs_fs_open_path_flags_mode_callback) for more details) + * `compress` - (boolean) compress the backup files, defaults to false + * `keepFileExt` - (boolean) defaults to `false` - keep the file original extension. e.g.: `abc.log -> abc.2013-08-30.log`. +--- a/streamroller/lib/RollingFileWriteStream.js ++++ b/streamroller/lib/RollingFileWriteStream.js +@@ -21,7 +21,7 @@ + * @param {number} options.numToKeep - The max numbers of files to keep. + * @param {number} options.maxSize - The maxSize one file can reach. Unit is Byte. + * This should be more than 1024. The default is Number.MAX_SAFE_INTEGER. +- * @param {string} options.mode - The mode of the files. The default is '0644'. Refer to stream.writable for more. ++ * @param {string} options.mode - The mode of the files. The default is '0600'. Refer to stream.writable for more. + * @param {string} options.flags - The default is 'a'. Refer to stream.flags for more. + * @param {boolean} options.compress - Whether to compress backup files. + * @param {boolean} options.keepFileExt - Whether to keep the file extension. +@@ -92,7 +92,7 @@ + maxSize: Number.MAX_SAFE_INTEGER, + numToKeep: Number.MAX_SAFE_INTEGER, + encoding: "utf8", +- mode: parseInt("0644", 8), ++ mode: parseInt("0600", 8), + flags: "a", + compress: false, + keepFileExt: false, +--- a/streamroller/test/DateRollingFileStream-test.js ++++ b/streamroller/test/DateRollingFileStream-test.js +@@ -48,7 +48,7 @@ + }); + + it("with default settings for the underlying stream", function() { +- stream.currentFileStream.mode.should.eql(420); ++ stream.currentFileStream.mode.should.eql(0o600); + stream.currentFileStream.flags.should.eql("a"); + }); + }); +--- a/streamroller/test/RollingFileStream-test.js ++++ b/streamroller/test/RollingFileStream-test.js +@@ -65,7 +65,7 @@ + }); + + it("should apply default settings to the underlying stream", function() { +- stream.theStream.mode.should.eql(420); ++ stream.theStream.mode.should.eql(0o600); + stream.theStream.flags.should.eql("a"); + }); + }); +--- a/streamroller/test/RollingFileWriteStream-test.js ++++ b/streamroller/test/RollingFileWriteStream-test.js +@@ -99,14 +99,14 @@ + it("should take a filename and options, return Writable", () => { + s.should.be.an.instanceOf(stream.Writable); + s.currentFileStream.path.should.eql(fileObj.path); +- s.currentFileStream.mode.should.eql(420); ++ s.currentFileStream.mode.should.eql(0o600); + s.currentFileStream.flags.should.eql("a"); + }); + + it("should apply default options", () => { + s.options.maxSize.should.eql(Number.MAX_SAFE_INTEGER); + s.options.encoding.should.eql("utf8"); +- s.options.mode.should.eql(420); ++ s.options.mode.should.eql(0o600); + s.options.flags.should.eql("a"); + s.options.compress.should.eql(false); + s.options.keepFileExt.should.eql(false); +--- a/types/log4js.d.ts ++++ b/types/log4js.d.ts +@@ -174,7 +174,7 @@ + pattern?: string; + // default “utf-8” + encoding?: string; +- // default 0644 ++ // default 0600 + mode?: number; + // default ‘a’ + flags?: string; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..9649c1e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-21704.patch