underscore: CVE-2021-23358

Debian Bug report logs - #986171
underscore: CVE-2021-23358

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: underscore: CVE-2021-23358

Date: Tue, 30 Mar 2021 21:40:31 +0200

Source: underscore
Version: 1.9.1~dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>,yadd@debian.org

Hi,

The following vulnerability was published for underscore.

CVE-2021-23358[0]:
| The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
| and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
| template function, particularly when a variable property is passed as
| an argument as it is not sanitized.

[1] provides a POC to verify the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-23358
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
[1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984

Regards,
Salvatore

Message #8 received at 986171-submitter@bugs.debian.org (full text, mbox, reply):

From: Yadd <noreply@salsa.debian.org>

To: 986171-submitter@bugs.debian.org

Subject: Bug#986171 marked as pending in underscore

Date: Tue, 30 Mar 2021 20:42:59 +0000

Control: tag -1 pending

Hello,

Bug #986171 in underscore reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/js-team/underscore/-/commit/32351ba38b7e69e0cee1010cbbea60446f57d4c8

------------------------------------------------------------------------
Fix arbitrary code execution

Closes: #986171
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/986171

Message #15 received at 986171-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 986171-close@bugs.debian.org

Subject: Bug#986171: fixed in underscore 1.9.1~dfsg-2

Date: Tue, 30 Mar 2021 21:03:34 +0000

Source: underscore
Source-Version: 1.9.1~dfsg-2
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
underscore, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 986171@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated underscore package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 30 Mar 2021 22:40:59 +0200
Source: underscore
Architecture: source
Version: 1.9.1~dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 986171
Changes:
 underscore (1.9.1~dfsg-2) unstable; urgency=medium
 .
   * Team upload
 .
   [ Debian Janitor ]
   * Bump debhelper dependency to >= 9, since that's what is used in
     debian/compat.
   * Bump debhelper from old 9 to 12.
   * Set debhelper-compat version in Build-Depends.
   * Set upstream metadata fields: Bug-Database, Repository, Repository-
     Browse.
   * Update standards version to 4.4.1, no changes needed.
   * Set upstream metadata fields: Bug-Submit.
   * Update standards version to 4.5.0, no changes needed.
   * Apply multi-arch hints.
     + node-underscore: Add Multi-Arch: foreign.
 .
   [ Yadd ]
   * Mark autopkgtest as superficial
   * Fix arbitrary code execution and add a test (Closes: #986171)
Checksums-Sha1: 
 8c5e6341b39ff1bd5cf10825a3008bd2f68df8af 2134 underscore_1.9.1~dfsg-2.dsc
 b44883f921b9f6262b8448715e4c07ff3bc32bb8 9296 underscore_1.9.1~dfsg-2.debian.tar.xz
Checksums-Sha256: 
 6f5a65a34aad6897225efc69f927b513ae5947ab19b7dc5ed1badc41c8f40b58 2134 underscore_1.9.1~dfsg-2.dsc
 630e76c4af563e1d4f86c5dd4f54434181174b06a90a5bac6db1ac734411f62e 9296 underscore_1.9.1~dfsg-2.debian.tar.xz
Files: 
 0b89f870e91869eb8887b9c1c880299c 2134 web optional underscore_1.9.1~dfsg-2.dsc
 6a0fbbe95672eb99fb19bf84091d7a0d 9296 web optional underscore_1.9.1~dfsg-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBjjTwACgkQ9tdMp8mZ
7uldPQ//QwOzKUjvGVfHamzRY/r4aHzazbrUqdJBI/JOApGa4F1AoVmt95TQD0dy
fsCmh4zhjMckk4cuFhUplXxgJvYzauhEHN5LZFqLeOTInYjxNZQN0M+bGZYDExoI
VxyVGoUfgxRqQIPvmktr/ij/YqgJ3SxlhA9vtSRugLmLXyFUZss18oP1G4onuQbV
1t8+8jbCtk+uBo8bDptNjUEoqllEtCIc0MNt2xReZrC9LIXtVQ5yqHpX/x65DMK2
PEDGYaS9oVU4+QJdx1d0V9Q1727UY6UdicofAYmW+ICb8RaU9+JUr4kPHCa4n/gH
Db6CWURZF2U5u7/+eb/LzYhrQcUqL81Gj3qTWV3C/lp3O3ePEULxUR6xnXDJR5Uk
O+2RdP+SXfKIZDkhLKjoFR0PngheiprhxnNsZIFSNzo7RfBNv7tjdu89awHFddTD
6ua5ANILYcHAcYZDl9fTtvuhN4c+VZjm7O48CFBI4KUddcW5Hgifw1QCjetH/kQc
cy4l7wuZChG2BhUx7Fqwd32PeVPWsZXgoFSScXSKIBe0rtvCiz0fztfCblstF+ea
HhGHv5kvhAX+NvHJUQ/HhZjZuD4jDTW3dbzBEkINagdC4FGVu+soXE5EELn5IDoB
0wpgx4EbmA4ixTYF8o+MmLrlMGXx4nWwMbfa7hDSwVaFNQynjWw=
=AE6G
-----END PGP SIGNATURE-----

Message #20 received at 986171@bugs.debian.org (full text, mbox, reply):

From: Yadd <yadd@debian.org>

To: 986171@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#986171: underscore: CVE-2021-23358

Date: Tue, 30 Mar 2021 23:00:00 +0200

[Message part 1 (text/plain, inline)]

Le 30/03/2021 à 21:40, Salvatore Bonaccorso a écrit :
> Source: underscore
> Version: 1.9.1~dfsg-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>,yadd@debian.org
> 
> Hi,
> 
> The following vulnerability was published for underscore.
> 
> CVE-2021-23358[0]:
> | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2
> | and before 1.12.1 are vulnerable to Arbitrary Code Execution via the
> | template function, particularly when a variable property is passed as
> | an argument as it is not sanitized.
> 
> [1] provides a POC to verify the issue.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-23358
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
> [1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
> 
> Regards,
> Salvatore

Hi,

here is a debdiff for buster including:
 * backport of upstream patch
 * autopkgtest file (tested)

Cheers,
Yadd

[underscore_1.9.1_dfsg-1+deb10u1.debdiff (text/plain, attachment)]

Send a report that this bug log contains spam.