Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id
<2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1014054,
regarding bullseye-pu: package node-got/11.8.1+~cs53.13.17-3+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1014054: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014054
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
[ Reason ]
node-got allows redirection to unix sockets (#1013264, CVE-2022-33987)
[ Impact ]
Medium vulnerability: a remote host can redirect a node-got request to a
Unix socket
[ Tests ]
Sadly test aren't enabled: ava was introduced earlier in Debian
[ Risks ]
Low risk:
* patch is trivial
* package is built from TypeScript, then tsc compiler checks for
a lot of errors
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just reject URL starting with "unix:" if original request wasn't a
"unix:" request.
Note that I had to add a typescript change: one ignored error is no more
an error.
Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9cda1ef..a4bd358 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-got (11.8.1+~cs53.13.17-3+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Don't allow redirection to Unix socket (Closes: #1013264, CVE-2022-33987)
+
+ -- Yadd <y...@debian.org> Wed, 29 Jun 2022 16:30:16 +0200
+
node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-33987.patch
b/debian/patches/CVE-2022-33987.patch
new file mode 100644
index 0000000..79c012f
--- /dev/null
+++ b/debian/patches/CVE-2022-33987.patch
@@ -0,0 +1,100 @@
+Description: Don't allow redirect to Unix socket
+Author: Sindre Sorhus <sindresor...@gmail.com>
+Origin: upstream, https://github.com/sindresorhus/got/commit/bce8ce7d
+Bug: https://github.com/sindresorhus/got/pull/2047
+Bug-Debian: https://bugs.debian.org/1013264
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-06-29
+
+--- a/source/core/index.ts
++++ b/source/core/index.ts
+@@ -2102,6 +2102,16 @@
+ const redirectString = redirectUrl.toString();
+ decodeURI(redirectString);
+
++ // eslint-disable-next-line
no-inner-declarations
++ function isUnixSocketURL(url: URL) {
++ return url.protocol === 'unix:' ||
url.hostname === 'unix';
++ }
++
++ if (!isUnixSocketURL(url) &&
isUnixSocketURL(redirectUrl)) {
++ this._beforeError(new
RequestError('Cannot redirect to UNIX socket', {}, this));
++ return;
++ }
++
+ // Redirecting to a different site, clear
sensitive data.
+ if (redirectUrl.hostname !== url.hostname ||
redirectUrl.port !== url.port) {
+ if ('host' in options.headers) {
+--- a/test/redirects.ts
++++ b/test/redirects.ts
+@@ -1,7 +1,7 @@
+ import test from 'ava';
+ import {Handler} from 'express';
+ import nock = require('nock');
+-import got, {MaxRedirectsError} from '../source';
++import got, {MaxRedirectsError, RequestError} from '../source';
+ import withServer, {withHttpsServer} from './helpers/with-server';
+
+ const reachedHandler: Handler = (_request, response) => {
+@@ -509,3 +509,32 @@
+ t.is(response.body, 'SERVER2');
+ });
+ });
++
++const unixProtocol: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'unix:/var/run/docker.sock:/containers/json'
++ });
++ response.end();
++};
++
++const unixHostname: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'http://unix:/var/run/docker.sock:/containers/json'
++ });
++ response.end();
++};
++
++test('cannot redirect to unix protocol', withServer, async (t, server, got)
=> {
++ server.get('/protocol', unixProtocol);
++ server.get('/hostname', unixHostname);
++
++ await t.throwsAsync(got('protocol'), {
++ message: 'Cannot redirect to UNIX socket',
++ instanceOf: RequestError
++ });
++
++ await t.throwsAsync(got('hostname'), {
++ message: 'Cannot redirect to UNIX socket',
++ instanceOf: RequestError
++ });
++});
+--- a/test/unix-socket.ts
++++ b/test/unix-socket.ts
+@@ -8,6 +8,13 @@
+ response.end('ok');
+ };
+
++const redirectHandler: Handler = (_request, response) => {
++ response.writeHead(302, {
++ location: 'foo'
++ });
++ response.end();
++};
++
+ if (process.platform !== 'win32') {
+ test('works', withSocketServer, async (t, server) => {
+ server.on('/', okHandler);
+@@ -53,3 +60,11 @@
+ t.is((await got(url)).body, 'ok');
+ });
+ }
++
++test('redirects work', withSocketServer, async (t, server) => {
++ server.on('/', redirectHandler);
++ server.on('/foo', okHandler);
++
++ const url = format('http://unix:%s:%s', server.socketPath, '/');
++ t.is((await got(url)).body, 'ok');
++});
diff --git a/debian/patches/fix-typescript.patch
b/debian/patches/fix-typescript.patch
new file mode 100644
index 0000000..02c2e82
--- /dev/null
+++ b/debian/patches/fix-typescript.patch
@@ -0,0 +1,16 @@
+Description: fix typescript
+Author: Yadd <y...@debian.org>
+Forwarded: not-needed
+Last-Update: 2022-06-29
+
+--- a/source/utils/deprecation-warning.ts
++++ b/source/utils/deprecation-warning.ts
+@@ -7,7 +7,7 @@
+
+ alreadyWarned.add(message);
+
+- // @ts-expect-error Missing types.
++ // @ts-ignore
+ process.emitWarning(`Got: ${message}`, {
+ type: 'DeprecationWarning'
+ });
diff --git a/debian/patches/series b/debian/patches/series
index 2299ad7..52e5121 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
build-source-only.diff
fix-package-json-paths.diff
CVE-2021-33502.patch
+CVE-2022-33987.patch
+fix-typescript.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.4
(re-sending with fixed bug numbers)
Hi,
The updates discussed in these bugs were included in today's bullseye
point release.
Regards,
Adam
--- End Message ---