[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#969163: marked as done (buster-pu: package npm/5.8.0+ds6-4+deb10u2)

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #969163,
regarding buster-pu: package npm/5.8.0+ds6-4+deb10u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
969163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969163
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

[ Reason ]
npm is vulnerable to CVE-2020-15095: password in URL are stored in logs.
This fixes import upstream commit to fix it.

[ Impact ]
(What is the impact for the user if the update isn't approved?)
Little CVE: URL containing password (https://user:pwd@xxx) are stored in
logs

[ Tests ]
autopkgtest tested, no specific test for this CVE

[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)
Low risk: minor change in logs only

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
(Explain *all* the changes)
Log strings are parsed by a new "lib/utils/replace-info.js" to delete
password in URLs before logging

[ Other info ]
None

diff --git a/debian/changelog b/debian/changelog
index d7b986f..a567e2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+npm (5.8.0+ds6-4+deb10u2) buster; urgency=medium
+
+  * Team upload
+  * Don't show password in logs (Closes: CVE-2020-15095)
+
+ -- Xavier Guimard <yadd@debian.org>  Fri, 28 Aug 2020 13:36:33 +0200
+
 npm (5.8.0+ds6-4+deb10u1) buster; urgency=medium
 
   * Add patches to fix arbitrary path access
diff --git a/debian/patches/CVE-2020-15095.diff b/debian/patches/CVE-2020-15095.diff
new file mode 100644
index 0000000..9188249
--- /dev/null
+++ b/debian/patches/CVE-2020-15095.diff
@@ -0,0 +1,133 @@
+Description: chore: remove auth info from logs
+Author: claudiahdz <cghr1990@gmail.com>
+Origin: upstream, https://github.com/npm/cli/commit/a9857b8f
+Bug: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-08-28
+
+--- a/bin/npm-cli.js
++++ b/bin/npm-cli.js
+@@ -35,6 +35,7 @@
+   var npm = require('../lib/npm.js')
+   var npmconf = require('../lib/config/core.js')
+   var errorHandler = require('../lib/utils/error-handler.js')
++  var replaceInfo = require('../lib/utils/replace-info.js')
+   var output = require('../lib/utils/output.js')
+ 
+   var configDefs = npmconf.defs
+@@ -48,7 +49,8 @@
+     process.argv.splice(1, 1, 'npm', '-g')
+   }
+ 
+-  log.verbose('cli', process.argv)
++  var args = replaceInfo(process.argv)
++  log.verbose('cli', args)
+ 
+   var conf = nopt(types, shorthands)
+   npm.argv = conf.argv.remain
+--- a/lib/fetch-package-metadata.js
++++ b/lib/fetch-package-metadata.js
+@@ -3,6 +3,7 @@
+ const deprCheck = require('./utils/depr-check')
+ const path = require('path')
+ const log = require('npmlog')
++const pacote = require('pacote')
+ const readPackageTree = require('read-package-tree')
+ const rimraf = require('rimraf')
+ const validate = require('aproba')
+@@ -10,8 +11,8 @@
+ const npm = require('./npm')
+ const npmlog = require('npmlog')
+ const limit = require('call-limit')
+-const tempFilename = require('./utils/temp-filename')
+-const pacote = require('pacote')
++const tempFilename = require('./utils/temp-filename.js')
++const replaceInfo = require('./utils/replace-info.js')
+ let pacoteOpts
+ const isWindows = require('./utils/is-windows.js')
+ 
+@@ -19,7 +20,9 @@
+   validate('SOF|SZF|OOF|OZF', [spec, tracker, done])
+   return (er, pkg) => {
+     if (er) {
+-      log.silly('fetchPackageMetaData', 'error for ' + String(spec), er.message)
++      er.message = replaceInfo(er.message)
++      var spc = replaceInfo(String(spec))
++      log.silly('fetchPackageMetaData', 'error for ' + spc, er.message)
+       if (tracker) tracker.finish()
+     }
+     return done(er, pkg)
+--- a/lib/utils/error-handler.js
++++ b/lib/utils/error-handler.js
+@@ -13,6 +13,7 @@
+ var chain = require('slide').chain
+ var writeFileAtomic = require('write-file-atomic')
+ var errorMessage = require('./error-message.js')
++var replaceInfo = require('./replace-info.js')
+ var stopMetrics = require('./metrics.js').stop
+ var mkdirp = require('mkdirp')
+ var fs = require('graceful-fs')
+@@ -176,14 +177,16 @@
+   ].forEach(function (k) {
+     var v = er[k]
+     if (!v) return
++    v = replaceInfo(v)
+     log.verbose(k, v)
+   })
+ 
+   log.verbose('cwd', process.cwd())
+ 
+   var os = require('os')
++  var args = replaceInfo(process.argv)
+   log.verbose('', os.type() + ' ' + os.release())
+-  log.verbose('argv', process.argv.map(JSON.stringify).join(' '))
++  log.verbose('argv', args.map(JSON.stringify).join(' '))
+   log.verbose('node', process.version)
+   log.verbose('npm ', 'v' + npm.version)
+ 
+--- a/lib/utils/error-message.js
++++ b/lib/utils/error-message.js
+@@ -2,12 +2,17 @@
+ var npm = require('../npm.js')
+ var util = require('util')
+ var nameValidator = require('validate-npm-package-name')
++var replaceInfo = require('./replace-info.js')
+ 
+ module.exports = errorMessage
+ 
+ function errorMessage (er) {
+   var short = []
+   var detail = []
++
++  er.message = replaceInfo(er.message)
++  er.stack = replaceInfo(er.stack)
++
+   switch (er.code) {
+     case 'ECONNREFUSED':
+       short.push(['', er])
+--- /dev/null
++++ b/lib/utils/replace-info.js
+@@ -0,0 +1,22 @@
++const URL = require('url')
++
++// replaces auth info in an array
++//  of arguments or in a strings
++function replaceInfo (arg) {
++  const isArray = Array.isArray(arg)
++  const isString = typeof arg === 'string'
++
++  if (!isArray && !isString) return arg
++
++  const args = isString ? arg.split(' ') : arg
++  const info = args.map(arg => {
++    try {
++      const url = new URL(arg)
++      return url.password === '' ? arg : arg.replace(url.password, '***')
++    } catch (e) { return arg }
++  })
++
++  return isString ? info.join(' ') : info
++}
++
++module.exports = replaceInfo
diff --git a/debian/patches/series b/debian/patches/series
index 95031c5..1780486 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ CVE-2019-16775-bin-links.diff
 CVE-2019-16775-npm-packlist.diff
 CVE-2019-16775-pacote.diff
 CVE-2019-16775-add-npm-normalize-package-bin.diff
+CVE-2020-15095.diff

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: