node-webpack: CVE-2023-28154

Debian Bug report logs - #1032904
node-webpack: CVE-2023-28154

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: node-webpack: CVE-2023-28154

Date: Mon, 13 Mar 2023 20:22:36 +0100

Source: node-webpack
Version: 5.75.0+dfsg+~cs17.16.14-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/webpack/webpack/pull/16500
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for node-webpack.

CVE-2023-28154[0]:
| Webpack 5 before 5.76.0 does not avoid cross-realm object access.
| ImportParserPlugin.js mishandles the magic comment feature. An
| attacker who controls a property of an untrusted object can obtain
| access to the real global object.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28154
    https://www.cve.org/CVERecord?id=CVE-2023-28154
[1] https://github.com/webpack/webpack/pull/16500

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #8 received at 1032904-submitter@bugs.debian.org (full text, mbox, reply):

From: Yadd <noreply@salsa.debian.org>

To: 1032904-submitter@bugs.debian.org

Subject: Bug#1032904 marked as pending in node-webpack

Date: Tue, 14 Mar 2023 03:02:11 +0000

Control: tag -1 pending

Hello,

Bug #1032904 in node-webpack reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/node-webpack/-/commit/13c7961274dddaf2d87f8b341dc126a9abbe64b2

------------------------------------------------------------------------
New upstream version (Closes: #1032904, CVE-2023-28154), updates: +webpack from 5.75.0 to 5.76.1 + envinfo from 7.8.0 to 7.8.1 + terser-webpack-plugin from 5.3.6 to 5.3.7
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1032904

Message #15 received at 1032904-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1032904-close@bugs.debian.org

Subject: Bug#1032904: fixed in node-webpack 5.76.1+dfsg1+~cs17.16.16-1

Date: Tue, 14 Mar 2023 03:20:01 +0000

Source: node-webpack
Source-Version: 5.76.1+dfsg1+~cs17.16.16-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-webpack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1032904@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-webpack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 14 Mar 2023 06:48:56 +0400
Source: node-webpack
Architecture: source
Version: 5.76.1+dfsg1+~cs17.16.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1032904
Changes:
 node-webpack (5.76.1+dfsg1+~cs17.16.16-1) unstable; urgency=medium
 .
   * Team upload
   * Install webpack-cli
   * Update lintian override info format in d/source/lintian-overrides
     on line 5-8, 14, 17-22.
   * Update standards version to 4.6.2, no changes needed.
   * Exclude discoveryjs-json-ext/benchmarks from import
   * New upstream version (Closes: #1032904, CVE-2023-28154), updates:
     +webpack from 5.75.0 to 5.76.1
     + envinfo from 7.8.0 to 7.8.1
     + terser-webpack-plugin from 5.3.6 to 5.3.7
     + @webpack-cli/configtest from 2.0.0 to 2.0.1
Checksums-Sha1: 
 7a4663757d787bb2b5f4f581d120386df50e4a0d 4711 node-webpack_5.76.1+dfsg1+~cs17.16.16-1.dsc
 8102f9d1de74ed486ac9816bb30a0af9e06b98ee 47128 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-discoveryjs-json-ext.tar.xz
 c60dfa594fc741d8d4a87f271a5c161d4c7c0886 155252 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-envinfo.tar.xz
 188f0e8d30b533b600eccd258f937bd34ba97991 177508 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-terser-webpack-plugin.tar.xz
 df7e3764daf976005f376d56c05aa01984f3feec 313996 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-webpack-cli.tar.xz
 6a5b2a04a561d7d3ccb509bc27989842cf811ddc 1591844 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig.tar.xz
 e6a4b6a41357c97c0de590916bce49d44a903b42 32336 node-webpack_5.76.1+dfsg1+~cs17.16.16-1.debian.tar.xz
Checksums-Sha256: 
 c887f82f28086a5355e7a912a6cfeba62369ba453d162470b07e49e9b3295fae 4711 node-webpack_5.76.1+dfsg1+~cs17.16.16-1.dsc
 21b14fc01b19af8a3d9587815c5b2a84ba419d38b413790cd9aa7036c7011b9e 47128 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-discoveryjs-json-ext.tar.xz
 c9a515c9de8e1147efabc159a4f0b62aebb5868311a1e135e7ad70479610fd30 155252 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-envinfo.tar.xz
 dfad5aecfc33a640dbd1cd1be3adb36343a916982bcf90dc15279afc3fdee4c0 177508 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-terser-webpack-plugin.tar.xz
 f045a667bc0006d217eafc8643396ddd890b179e6a4110f573548dae7f618dd1 313996 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-webpack-cli.tar.xz
 e50e509b9b12cde798bff2cb4ba893e32765e815b1e7d304a923e0f4c462de06 1591844 node-webpack_5.76.1+dfsg1+~cs17.16.16.orig.tar.xz
 331e4d935f49cfb6963ba8e1f8620db679b19daaf752b628a37ca01806dee697 32336 node-webpack_5.76.1+dfsg1+~cs17.16.16-1.debian.tar.xz
Files: 
 11eccc929332a575819c4de556b27a2b 4711 javascript optional node-webpack_5.76.1+dfsg1+~cs17.16.16-1.dsc
 8eef74ec5b611d703f36b8b3a923cfc9 47128 javascript optional node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-discoveryjs-json-ext.tar.xz
 16ec4fda202ebbbaa100599e66c3eae6 155252 javascript optional node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-envinfo.tar.xz
 74a3db801734ab693c2f878834f5537d 177508 javascript optional node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-terser-webpack-plugin.tar.xz
 e9a7bf7208997eb230b00ced9d1277f5 313996 javascript optional node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-webpack-cli.tar.xz
 69c9ae587e8e3c00004b34fa410703e8 1591844 javascript optional node-webpack_5.76.1+dfsg1+~cs17.16.16.orig.tar.xz
 dfae59338b0fbb2ef71cf35c166a6050 32336 javascript optional node-webpack_5.76.1+dfsg1+~cs17.16.16-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQP4rMACgkQ9tdMp8mZ
7ulMxw/+NSIHJBRFM3sgAMfMpBdB/5rabEh4f7L4JETf3tzM+HtfxfUUqDweoupj
10xdhuDzNlwrWE9UEuhIRshrrhSc5x8vW7zEF8I6XRY3ZgnNNMevPiTVXj6vLvv0
2gQEiUfEyWdwNkiatzFYjxlc4c89ezp9WpBpvqMOH9wxqvGpd5FmfxQNcjLlhoTe
zxlLc0wxFBC5S2HoDe0/ryDvqUd5C3RCrKgG7M5aa7bG8eNKqhm87DV/5k8uU0OV
0V38RF+ACA7QUAYccGGCYPeidylxm3dKWs/dhyn+oJCtffXl6i2XSW979x1RYkWL
YL4CJGEb4i8nX6UgCDGGnrKRPQYlBy8Hr5KgpF5nH4aqFfO9NPjBTrlddrzNd+ir
K3H4OJe0fqK4Tbc9pBYhnK/5nJJ0khgiDAfoB26esOmPFxYtIin5ELoPd33i7frF
T1/luA3NzN72OcIUbBZwcngX0uNss5Xdn5dM32+m3wWaVmMNAAPF1+25MIFfw+6q
RU2FDMJNpYBgOyWd4gvtWIF+edc9MbdOS01JRgRpKuXMnuHGm9BLEUoZ1HaYSJlz
237zCgvdj+TcecbfMQxpncRDAY13igo7g5YqFiS6+IC6aSYEkayyLX/MGgbh5p5d
H1pQe+3ZwjGfNVksxoB9ul5nQYhNTbAAVCxpOjyyV8vZ0anXExA=
=Ih+O
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.