Le 30/03/2021 à 21:40, Salvatore Bonaccorso a écrit : > Source: underscore > Version: 1.9.1~dfsg-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org>,y...@debian.org > > Hi, > > The following vulnerability was published for underscore. > > CVE-2021-23358[0]: > | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 > | and before 1.12.1 are vulnerable to Arbitrary Code Execution via the > | template function, particularly when a variable property is passed as > | an argument as it is not sanitized. > > [1] provides a POC to verify the issue. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-23358 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358 > [1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 > > Regards, > Salvatore
Hi, here is a debdiff for buster including: * backport of upstream patch * autopkgtest file (tested) Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 02cd807..eb9fd68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +underscore (1.9.1~dfsg-1+deb10u1) buster-security; urgency=high + + * Team upload + * Fix arbitrary code execution (Closes: #986171) + + -- Yadd <y...@debian.org> Tue, 30 Mar 2021 22:54:09 +0200 + underscore (1.9.1~dfsg-1) unstable; urgency=medium [ upstream ] diff --git a/debian/patches/CVE-2021-23358.patch b/debian/patches/CVE-2021-23358.patch new file mode 100644 index 0000000..2ba4118 --- /dev/null +++ b/debian/patches/CVE-2021-23358.patch @@ -0,0 +1,62 @@ +Description: fix arbitrary code execution +Author: Julian Gonggrijp <d...@juliangonggrijp.com> +Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d +Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 +Bug-Debian: https://bugs.debian.org/986171 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2021-03-30 + +--- a/underscore.js ++++ b/underscore.js +@@ -1550,6 +1550,13 @@ + return '\\' + escapes[match]; + }; + ++ // In order to prevent third-party code injection through ++ // `_.templateSettings.variable`, we test it against the following regular ++ // expression. It is intentionally a bit more liberal than just matching valid ++ // identifiers, but still prevents possible loopholes through defaults or ++ // destructuring assignment. ++ var bareIdentifier = /^\s*(\w|\$)+\s*$/; ++ + // JavaScript micro-templating, similar to John Resig's implementation. + // Underscore templating handles arbitrary delimiters, preserves whitespace, + // and correctly escapes quotes within interpolated code. +@@ -1585,8 +1592,17 @@ + }); + source += "';\n"; + +- // If a variable is not specified, place data values in local scope. +- if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n'; ++ var argument = settings.variable; ++ if (argument) { ++ // Insure against third-party code injection. ++ if (!bareIdentifier.test(argument)) throw new Error( ++ 'variable is not a bare identifier: ' + argument ++ ); ++ } else { ++ // If a variable is not specified, place data values in local scope. ++ source = 'with(obj||{}){\n' + source + '}\n'; ++ argument = 'obj'; ++ } + + source = "var __t,__p='',__j=Array.prototype.join," + + "print=function(){__p+=__j.call(arguments,'');};\n" + +@@ -1594,7 +1610,7 @@ + + var render; + try { +- render = new Function(settings.variable || 'obj', '_', source); ++ render = new Function(argument, '_', source); + } catch (e) { + e.source = source; + throw e; +@@ -1605,7 +1621,6 @@ + }; + + // Provide the compiled source as a convenience for precompilation. +- var argument = settings.variable || 'obj'; + template.source = 'function(' + argument + '){\n' + source + '}'; + + return template; diff --git a/debian/patches/series b/debian/patches/series index da362d2..7ddac86 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 2001_docs_privacy.patch +CVE-2021-23358.patch diff --git a/debian/tests/CVE-2021-23358 b/debian/tests/CVE-2021-23358 new file mode 100755 index 0000000..a2ae590 --- /dev/null +++ b/debian/tests/CVE-2021-23358 @@ -0,0 +1,11 @@ +#!/bin/sh + +if node debian/tests/CVE-2021-23358.js 2>/dev/null; then + rm -f HELLO + echo 'Vulnerable to CVE-2021-23358' >&2 + exit 1 +else + echo + echo 'Not vulnerable to CVE-2021-23358' + exit 0 +fi diff --git a/debian/tests/CVE-2021-23358.js b/debian/tests/CVE-2021-23358.js new file mode 100644 index 0000000..fad7c77 --- /dev/null +++ b/debian/tests/CVE-2021-23358.js @@ -0,0 +1,3 @@ +const _ = require('underscore'); +_.templateSettings.variable = "a = this.process.mainModule.require('child_process').execSync('touch HELLO')"; +const t = _.template("")(); diff --git a/debian/tests/control b/debian/tests/control index 7275831..868aa31 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1 +1,7 @@ Test-Command: node -e "require('underscore');" +Depends: @ +Restrictions: superficial + +Tests: CVE-2021-23358 +Depends: @ +Restrictions: superficial
