Bug#1014571: bullseye-pu: package node-log4js/6.3.0+~cs8.3.10-1+deb11u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-log4js creates log files with permissive rights (644). This causes
a security issue (CVE-2022-21704)

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace default mode from 0644 to 0600

Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 75dbfc2..00af70f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-log4js (6.3.0+~cs8.3.10-1+deb11u1) bullseye; urgency=medium
+
+  * Changed default file modes from 0o644 to 0o600 for better security
+(Closes: CVE-2022-21704)
+
+ -- Yadd   Fri, 08 Jul 2022 07:44:46 +0200
+
 node-log4js (6.3.0+~cs8.3.10-1) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/patches/CVE-2022-21704.patch 
b/debian/patches/CVE-2022-21704.patch
new file mode 100644
index 000..76f1757
--- /dev/null
+++ b/debian/patches/CVE-2022-21704.patch
@@ -0,0 +1,177 @@
+Description: Changed default file modes from 0o644 to 0o600 for better security
+Author: peteriman 
+Origin: upstream, 
https://patch-diff.githubusercontent.com/raw/log4js-node/log4js-node/pull/1141
+ https://patch-diff.githubusercontent.com/raw/log4js-node/streamroller/pull/87
+Bug: 
https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-07-08
+
+--- a/docs/dateFile.md
 b/docs/dateFile.md
+@@ -11,7 +11,7 @@
+ 
+ Any other configuration parameters will be passed to the underlying 
[streamroller](https://github.com/nomiddlename/streamroller) implementation 
(see also node.js core file streams):
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0o644 - [node.js file 
modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
++* `mode`- `integer` (default 0o600 - [node.js file 
modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+ * `flags` - `string` (default 'a')
+ * `compress` - `boolean` (default false) - compress the backup files during 
rolling (backup files will have `.gz` extension)
+ * `alwaysIncludePattern` - `boolean` (default false) - include the pattern in 
the name of the current log file as well as the backups.
+--- a/docs/file.md
 b/docs/file.md
+@@ -12,7 +12,7 @@
+ 
+ Any other configuration parameters will be passed to the underlying 
[streamroller](https://github.com/nomiddlename/streamroller) implementation 
(see also node.js core file streams):
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0o644 - [node.js file 
modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
++* `mode`- `integer` (default 0o600 - [node.js file 
modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes))
+ * `flags` - `string` (default 'a')
+ * `compress` - `boolean` (default false) - compress the backup files during 
rolling (backup files will have `.gz` extension)
+ * `keepFileExt` - `boolean` (default false) - preserve the file extension 
when rotating log files (`file.log` becomes `file.1.log` instead of 
`file.log.1`)
+--- a/docs/fileSync.md
 b/docs/fileSync.md
+@@ -12,7 +12,7 @@
+ 
+ Any other configuration parameters will be passed to the underlying node.js 
core stream implementation:
+ * `encoding` - `string` (default "utf-8")
+-* `mode`- `integer` (default 0644)
++* `mode`- `integer` (default 0600)
+ * `flags` - `string` (default 'a')
+ 
+ ## Example
+--- a/lib/appenders/dateFile.js
 b/lib/appenders/dateFile.js
+@@ -49,7 +49,6 @@
+ 
+ function configure(config, layouts) {
+   let layout = layouts.basicLayout;
+-
+   if (config.layout) {
+ layout = layouts.layout(config.layout.type, config.layout);
+   }
+@@ -58,6 +57,9 @@
+ config.alwaysIncludePattern = false;
+   }
+ 
++  // security default (instead of relying on streamroller default)
++  config.mode = config.mode || 0o600;
++
+   return appender(
+ config.filename,
+ config.pattern,
+--- a/lib/appenders/file.js
 b/lib/appenders/file.js
+@@ -94,6 +94,9 @@
+ layout = layouts.layout(config.layout.type, config.layout);
+   }
+ 
++  // security default (instead of relying on streamroller default)
++  config.mode = config.mode || 0o600;
++
+   return fileAppender(
+ config.filename,
+ layout,
+--- a/lib/appenders/fileSync.js
 b/lib/appenders/fileSync.js
+@@ -192,7 +192,7 @@
+   const options = {
+ flags: config.flags || 'a',
+ encoding: config.encoding || 'utf8',
+-mode: config.mode || 0o644
++mode: config.mode || 0o600
+   };
+ 
+   return fileAppender(
+--- a/streamroller/README.md
 b/streamroller/README.md
+@@ -20,7 +20

Bug#1014571: bullseye-pu: package node-log4js/6.3.0+~cs8.3.10-1+deb11u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Fri, 2022-07-08 at 07:49 +0200, Yadd wrote:
> node-log4js creates log files with permissive rights (644). This
> causes
> a security issue (CVE-2022-21704)
> 

Please go ahead.

Regards,

Adam

Processed: Re: Bug#1014571: bullseye-pu: package node-log4js/6.3.0+~cs8.3.10-1+deb11u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #1014571 [release.debian.org] bullseye-pu: package 
node-log4js/6.3.0+~cs8.3.10-1+deb11u1
Added tag(s) confirmed.

-- 
1014571: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014571
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems