Re: Bug#1053880: node-babel7: CVE-2023-45133
- To: debian-lts@lists.debian.org
- Subject: Re: Bug#1053880: node-babel7: CVE-2023-45133
- From: Yadd <yadd@debian.org>
- Date: Fri, 13 Oct 2023 20:59:14 +0400
- Message-id: <[🔎] 4156f677-8de6-40d4-90fb-4a624e613d82@debian.org>
- In-reply-to: <04f14da6-28b0-4e8b-92db-cb349d716816@debian.org>
- References: <ZSlFGpXJBtXcGtFp@pisco.westfalen.local> <7f3e70ef-2566-4469-9273-f30e11d51a62@debian.org> <7a638f47-969a-4928-a532-5e8cf0cc5ca6@debian.org> <04f14da6-28b0-4e8b-92db-cb349d716816@debian.org>
and Buster ;-)
On 10/13/23 18:30, Yadd wrote:
Now both bookworm and bullseye
On 10/13/23 18:05, Yadd wrote:
With the good dist, sorry
On 10/13/23 18:04, Yadd wrote:
Hi,
patch applied successfully, ready to upload.
On 10/13/23 17:24, Moritz Mühlenhoff wrote:
Source: node-babel7
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for node-babel7.
CVE-2023-45133[0]:
| Babel is a compiler for writingJavaScript. In `@babel/traverse`
| prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of
| `babel-traverse`, using Babel to compile code that was specifically
| crafted by an attacker can lead to arbitrary code execution during
| compilation, when using plugins that rely on the `path.evaluate()`or
| `path.evaluateTruthy()` internal Babel methods. Known affected
| plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env`
| when using its `useBuiltIns` option; and any "polyfill provider"
| plugin that depends on `@babel/helper-define-polyfill-provider`,
| such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-
| corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-
| regenerator`. No other plugins under the `@babel/` namespace are
| impacted, but third-party plugins might be. Users that only compile
| trusted code are not impacted. The vulnerability has been fixed in
| `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those
| who cannot upgrade `@babel/traverse` and are using one of the
| affected packages mentioned above should upgrade them to their
| latest version to avoid triggering the vulnerable code path in
| affected `@babel/traverse` versions: `@babel/plugin-transform-
| runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-
| define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2`
| v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-
| polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator`
| v0.5.3.
https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
https://github.com/babel/babel/pull/16033
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45133
https://www.cve.org/CVERecord?id=CVE-2023-45133
Please adjust the affected versions in the BTS as needed.
diff --git a/.gitattributes b/.gitattributes
deleted file mode 100644
index fcadb2cf9..000000000
--- a/.gitattributes
+++ /dev/null
@@ -1 +0,0 @@
-* text eol=lf
diff --git a/debian/changelog b/debian/changelog
index f2af34241..cea363df0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-babel (6.26.0+dfsg-3+deb10u1) buster-security; urgency=medium
+
+ * Team upload
+ * Only evaluate own String/Number/Math methods
+ (Closes: #1053880, CVE-2023-45133)
+
+ -- Yadd <yadd@debian.org> Fri, 13 Oct 2023 20:56:38 +0400
+
node-babel (6.26.0+dfsg-3) unstable; urgency=medium
* Add new binary node-babel-plugin-transform-proto-to-assign
diff --git a/debian/patches/CVE-2023-45133.patch b/debian/patches/CVE-2023-45133.patch
new file mode 100644
index 000000000..5753bade7
--- /dev/null
+++ b/debian/patches/CVE-2023-45133.patch
@@ -0,0 +1,24 @@
+Description: Only evaluate own String/Number/Math methods
+Author: Nicolò Ribaudo <https://github.com/nicolo-ribaudo>
+Origin: upstream, commit:b13376b
+Bug: https://github.com/babel/babel/pull/16033
+Bug-Debian: https://bugs.debian.org/1053880
+Forwarded: not-needed
+Applied-Upstream: 7.23.2, commit:b13376b
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-10-13
+
+--- a/packages/babel-traverse/src/path/evaluation.js
++++ b/packages/babel-traverse/src/path/evaluation.js
+@@ -348,7 +348,10 @@
+ INVALID_METHODS.indexOf(property.node.name) < 0
+ ) {
+ context = global[object.node.name];
+- func = context[property.node.name];
++ const key = property.node.name;
++ if (Object.hasOwnProperty.call(context, key)) {
++ func = context[key];
++ }
+ }
+
+ // "abc".charCodeAt(4)
diff --git a/debian/patches/series b/debian/patches/series
index 9715ace51..849a8af4c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ use-system-gulp.patch
remove-home-or-tmp.patch
skip-lerna.patch
install-specific-modules-only.patch
+CVE-2023-45133.patch
Reply to: