Debian Bug report logs -
#1053880
node-babel7: CVE-2023-45133
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 13 Oct 2023 13:27:09 UTC
Severity: grave
Tags: security
Fixed in version node-babel7/7.20.15+ds1+~cs214.269.168-5
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1053880; Package src:node-babel7.
(Fri, 13 Oct 2023 13:27:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 13 Oct 2023 13:27:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-babel7
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for node-babel7.
CVE-2023-45133[0]:
| Babel is a compiler for writingJavaScript. In `@babel/traverse`
| prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of
| `babel-traverse`, using Babel to compile code that was specifically
| crafted by an attacker can lead to arbitrary code execution during
| compilation, when using plugins that rely on the `path.evaluate()`or
| `path.evaluateTruthy()` internal Babel methods. Known affected
| plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env`
| when using its `useBuiltIns` option; and any "polyfill provider"
| plugin that depends on `@babel/helper-define-polyfill-provider`,
| such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-
| corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-
| regenerator`. No other plugins under the `@babel/` namespace are
| impacted, but third-party plugins might be. Users that only compile
| trusted code are not impacted. The vulnerability has been fixed in
| `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those
| who cannot upgrade `@babel/traverse` and are using one of the
| affected packages mentioned above should upgrade them to their
| latest version to avoid triggering the vulnerable code path in
| affected `@babel/traverse` versions: `@babel/plugin-transform-
| runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper-
| define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2`
| v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin-
| polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator`
| v0.5.3.
https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92
https://github.com/babel/babel/pull/16033
https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45133
https://www.cve.org/CVERecord?id=CVE-2023-45133
Please adjust the affected versions in the BTS as needed.
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1053880.
(Fri, 13 Oct 2023 14:03:03 GMT) (full text, mbox, link).
Message #8 received at 1053880-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1053880 in node-babel reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-babel/-/commit/ff932dfe976deb4b61b26ffb8f7bd8535df95c4b
------------------------------------------------------------------------
Only evaluate own String/Number/Math methods (Closes: #1053880, CVE-2023-45133)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1053880
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 1053880-submitter@bugs.debian.org.
(Fri, 13 Oct 2023 14:03:03 GMT) (full text, mbox, link).
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1053880.
(Fri, 13 Oct 2023 14:30:03 GMT) (full text, mbox, link).
Message #13 received at 1053880-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1053880 in node-babel reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-babel/-/commit/b77c2b9b7cdc2a5201bf0f7d258348e5ee5312c3
------------------------------------------------------------------------
Only evaluate own String/Number/Math methods (Closes: #1053880, CVE-2023-45133)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1053880
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1053880.
(Fri, 13 Oct 2023 14:33:04 GMT) (full text, mbox, link).
Message #16 received at 1053880-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1053880 in node-babel reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-babel/-/commit/ab1563acf5657fad72235f0cd90f8a709fddc4f4
------------------------------------------------------------------------
Only evaluate own String/Number/Math methods (Closes: #1053880, CVE-2023-45133)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1053880
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Fri, 13 Oct 2023 14:39:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Fri, 13 Oct 2023 14:39:06 GMT) (full text, mbox, link).
Message #21 received at 1053880-close@bugs.debian.org (full text, mbox, reply):
Source: node-babel7
Source-Version: 7.20.15+ds1+~cs214.269.168-5
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-babel7, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053880@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-babel7 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 13 Oct 2023 17:53:38 +0400
Source: node-babel7
Architecture: source
Version: 7.20.15+ds1+~cs214.269.168-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1053880
Changes:
node-babel7 (7.20.15+ds1+~cs214.269.168-5) unstable; urgency=medium
.
* Team upload
* Only evaluate own String/Number/Math methods
(Closes: #1053880, CVE-2023-45133)
Checksums-Sha1:
619734cff5f03d380e45d2a34a516b894b06b78e 19547 node-babel7_7.20.15+ds1+~cs214.269.168-5.dsc
8bd7cde12d9e58232336e6ff9d2b6af16c0bcd03 243560 node-babel7_7.20.15+ds1+~cs214.269.168-5.debian.tar.xz
Checksums-Sha256:
a155b71442b7c9ad210cc5b30549811214af77427011a5cae2a0198e95a397c6 19547 node-babel7_7.20.15+ds1+~cs214.269.168-5.dsc
d0c526b2ab950c8310bd0910d19273d189e243dedfdf6297b718da87fbcf7717 243560 node-babel7_7.20.15+ds1+~cs214.269.168-5.debian.tar.xz
Files:
ee75bcff22329b15debf0de240937bd0 19547 javascript optional node-babel7_7.20.15+ds1+~cs214.269.168-5.dsc
3be4cdf9642d762b6eeea88367365065 243560 javascript optional node-babel7_7.20.15+ds1+~cs214.269.168-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmUpTMUACgkQ9tdMp8mZ
7ulUKw/8D1IQIVZRpo8aIS/IBo3OdGq0aEngnrgK2zgIgjJPVZdVYbGOL/uj4VEs
0v22avN0w3VcI7h/TgT8sNNeJvb8dNhDzm4msYxaSEBr7KBsUPSsrzncntdHDdq+
otY/ejAAFxJmcW+vGqYtZs4R9xBwAZTMTJa/YTJUHWhJnmEfKAE3tlUIDfdX2V0U
8F9l1PCIPJu/DIGlw6rQiB85kkIOLNeeDioXRjouxXgjprz2uhP2LlDJ7X9Y3Jk3
kEzaZCklhHlzRtEGtZUT4p79JFyQx3dyIaztn7b4L4Zlt2c+Zz+JPqAqDvm08C+N
tyN+ZdtUosslpswTSTOuigJWaoD4Ld0dhV+PPOeLV7B3yHf/4PRYBrd9mbeliR/C
ilJyXUSNhTImvLIIOsaStGtQm/V39hiI3rRN3M/0jJkjwEymEwmB1ih0Wrd8PPUe
saeVnatP7wlatvw2nJRCrlFq5nLvMV0S+UQuOgVsq7AdsP97D6t5PALCcXgBnm9d
5pBgGhomLmqz0VyS3S+DFNFtoN6DVmpNKC+FrJHj45UiK6kw/8+QE94E371A+5r9
3PE2mDitKlcv0zaExtFSOGr7z4g3eUpH5V5m92ufhZMWW6DuehsMAsPTV/NlhoJJ
hWgRqE1fmEo3gurgw+NQhWOYiWviSsU/2qTH0ATU79Ltuwc10WQ=
=xa1y
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Oct 13 17:53:35 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon