Bug#1023798: Update to fix also CVE-2022-37599

Mon, 14 Nov 2022 02:15:19 -0800 

On 14/11/2022 11:01, Yadd wrote:

Hi,

here is another update to fix CVE-2022-37599 (trivial patch).

Cheers,
Yadd


This fix also CVE-2022-37603 (duplicate of CVE-2022-37599)
diff --git a/debian/changelog b/debian/changelog
index 7d05292..aace5b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2022-37601)
+  * Fix ReDos (Closes: CVE-2022-37599, CVE-2022-37603)
+
+ -- Yadd <y...@debian.org>  Mon, 14 Nov 2022 10:58:58 +0100
+
 node-loader-utils (2.0.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-37599.patch 
b/debian/patches/CVE-2022-37599.patch
new file mode 100644
index 0000000..d094c30
--- /dev/null
+++ b/debian/patches/CVE-2022-37599.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Alexander Akait <4567934+alexander-ak...@users.noreply.github.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d
+Bug: https://github.com/webpack/loader-utils/issues/211
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-11-14
+
+--- a/lib/interpolateName.js
++++ b/lib/interpolateName.js
+@@ -108,7 +108,7 @@
+       // `hash` and `contenthash` are same in `loader-utils` context
+       // let's keep `hash` for backward compatibility
+       .replace(
+-        
/\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
++        
/\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi,
+         (all, hashType, digestType, maxLength) =>
+           getHashDigest(content, hashType, digestType, parseInt(maxLength, 
10))
+       )
diff --git a/debian/patches/CVE-2022-37601.patch 
b/debian/patches/CVE-2022-37601.patch
new file mode 100644
index 0000000..12eaad6
--- /dev/null
+++ b/debian/patches/CVE-2022-37601.patch
@@ -0,0 +1,18 @@
+Description: fix prototype pollution
+Author: Mike Cebrian <michael.cebr...@gmail.com>
+Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-11-10
+
+--- node-loader-utils-2.0.0.orig/lib/parseQuery.js
++++ node-loader-utils-2.0.0/lib/parseQuery.js
+@@ -26,7 +26,7 @@ function parseQuery(query) {
+   }
+ 
+   const queryArgs = query.split(/[,&]/g);
+-  const result = {};
++  const result = Object.create(null);
+ 
+   queryArgs.forEach((arg) => {
+     const idx = arg.indexOf('=');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..5566245
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2022-37601.patch
+CVE-2022-37599.patch

Reply via email to