Debian Bug report logs -
#986171
underscore: CVE-2021-23358
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 30 Mar 2021 19:45:02 UTC
Severity: grave
Tags: security, upstream
Found in version underscore/1.9.1~dfsg-1
Fixed in version underscore/1.9.1~dfsg-2
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, yadd@debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#986171
; Package src:underscore
.
(Tue, 30 Mar 2021 19:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, yadd@debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Tue, 30 Mar 2021 19:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: underscore
Version: 1.9.1~dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>,yadd@debian.org
Hi,
The following vulnerability was published for underscore.
CVE-2021-23358[0]:
| The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
| and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
| template function, particularly when a variable property is passed as
| an argument as it is not sanitized.
[1] provides a POC to verify the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
[1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#986171.
(Tue, 30 Mar 2021 20:45:02 GMT) (full text, mbox, link).
Message #8 received at 986171-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #986171 in underscore reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/underscore/-/commit/32351ba38b7e69e0cee1010cbbea60446f57d4c8
------------------------------------------------------------------------
Fix arbitrary code execution
Closes: #986171
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/986171
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 986171-submitter@bugs.debian.org
.
(Tue, 30 Mar 2021 20:45:02 GMT) (full text, mbox, link).
Reply sent
to Yadd <yadd@debian.org>
:
You have taken responsibility.
(Tue, 30 Mar 2021 21:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 30 Mar 2021 21:06:05 GMT) (full text, mbox, link).
Message #15 received at 986171-close@bugs.debian.org (full text, mbox, reply):
Source: underscore
Source-Version: 1.9.1~dfsg-2
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
underscore, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 986171@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated underscore package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 30 Mar 2021 22:40:59 +0200
Source: underscore
Architecture: source
Version: 1.9.1~dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 986171
Changes:
underscore (1.9.1~dfsg-2) unstable; urgency=medium
.
* Team upload
.
[ Debian Janitor ]
* Bump debhelper dependency to >= 9, since that's what is used in
debian/compat.
* Bump debhelper from old 9 to 12.
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Repository, Repository-
Browse.
* Update standards version to 4.4.1, no changes needed.
* Set upstream metadata fields: Bug-Submit.
* Update standards version to 4.5.0, no changes needed.
* Apply multi-arch hints.
+ node-underscore: Add Multi-Arch: foreign.
.
[ Yadd ]
* Mark autopkgtest as superficial
* Fix arbitrary code execution and add a test (Closes: #986171)
Checksums-Sha1:
8c5e6341b39ff1bd5cf10825a3008bd2f68df8af 2134 underscore_1.9.1~dfsg-2.dsc
b44883f921b9f6262b8448715e4c07ff3bc32bb8 9296 underscore_1.9.1~dfsg-2.debian.tar.xz
Checksums-Sha256:
6f5a65a34aad6897225efc69f927b513ae5947ab19b7dc5ed1badc41c8f40b58 2134 underscore_1.9.1~dfsg-2.dsc
630e76c4af563e1d4f86c5dd4f54434181174b06a90a5bac6db1ac734411f62e 9296 underscore_1.9.1~dfsg-2.debian.tar.xz
Files:
0b89f870e91869eb8887b9c1c880299c 2134 web optional underscore_1.9.1~dfsg-2.dsc
6a0fbbe95672eb99fb19bf84091d7a0d 9296 web optional underscore_1.9.1~dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBjjTwACgkQ9tdMp8mZ
7uldPQ//QwOzKUjvGVfHamzRY/r4aHzazbrUqdJBI/JOApGa4F1AoVmt95TQD0dy
fsCmh4zhjMckk4cuFhUplXxgJvYzauhEHN5LZFqLeOTInYjxNZQN0M+bGZYDExoI
VxyVGoUfgxRqQIPvmktr/ij/YqgJ3SxlhA9vtSRugLmLXyFUZss18oP1G4onuQbV
1t8+8jbCtk+uBo8bDptNjUEoqllEtCIc0MNt2xReZrC9LIXtVQ5yqHpX/x65DMK2
PEDGYaS9oVU4+QJdx1d0V9Q1727UY6UdicofAYmW+ICb8RaU9+JUr4kPHCa4n/gH
Db6CWURZF2U5u7/+eb/LzYhrQcUqL81Gj3qTWV3C/lp3O3ePEULxUR6xnXDJR5Uk
O+2RdP+SXfKIZDkhLKjoFR0PngheiprhxnNsZIFSNzo7RfBNv7tjdu89awHFddTD
6ua5ANILYcHAcYZDl9fTtvuhN4c+VZjm7O48CFBI4KUddcW5Hgifw1QCjetH/kQc
cy4l7wuZChG2BhUx7Fqwd32PeVPWsZXgoFSScXSKIBe0rtvCiz0fztfCblstF+ea
HhGHv5kvhAX+NvHJUQ/HhZjZuD4jDTW3dbzBEkINagdC4FGVu+soXE5EELn5IDoB
0wpgx4EbmA4ixTYF8o+MmLrlMGXx4nWwMbfa7hDSwVaFNQynjWw=
=AE6G
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#986171
; Package src:underscore
.
(Tue, 30 Mar 2021 21:30:32 GMT) (full text, mbox, link).
Acknowledgement sent
to Yadd <yadd@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Tue, 30 Mar 2021 21:30:32 GMT) (full text, mbox, link).
Message #20 received at 986171@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le 30/03/2021 à 21:40, Salvatore Bonaccorso a écrit :
> Source: underscore
> Version: 1.9.1~dfsg-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>,yadd@debian.org
>
> Hi,
>
> The following vulnerability was published for underscore.
>
> CVE-2021-23358[0]:
> | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
> | and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
> | template function, particularly when a variable property is passed as
> | an argument as it is not sanitized.
>
> [1] provides a POC to verify the issue.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-23358
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
> [1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
>
> Regards,
> Salvatore
Hi,
here is a debdiff for buster including:
* backport of upstream patch
* autopkgtest file (tested)
Cheers,
Yadd
[underscore_1.9.1_dfsg-1+deb10u1.debdiff (text/plain, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Mar 31 08:05:37 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.