Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1

[Yadd]

Package: release.debian.org
Severity: normal
User: release.d...@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-w...@packages.debian.org
Control: affects -1 + src:node-webpack

Please unblock package node-webpack

[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, autopkgtest passed on all reverse dependencies

[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing

[ Other info ]
The attached debdiff doesn't show the doc and test snapshot updates,
else debdiff is really big and not relevant.

Cheers,
Yadd

unblock node-webpack/5.76.1+dfsg1+~cs17.16.16-1

[Yadd]

Sorry, I didn't see that node-webpack was considered as key package.

[Paul Gevers]

Control: tags -1 moreinfo

Hi Yadd,

On 15-03-2023 13:38, Yadd wrote:
> [ Reason ]
> node-webpack is vulnerable to cross-realm object access
> (#1032904, CVE-2023-28154).

This doesn't look like a targeted fix, but rather seems to include much
more.

How about reverting and providing a fix only for that CVE please?

Paul

[Salvatore Bonaccorso]

Control: severity 1032904 serious

Hi Yadd,

have you seen Paul's comment/question above? We have now a somehow
unfortunate situation that the CVE is fixed in unstable, and it is
fixed with the last point release as well in bullseye. But it is still
open in bookworm.

I will bump for this reason the severity of #1032904 to RC as it is a
regression on this regards.

Regards,
Salvatore

[Yadd]

Hi,

extracting only CVE patch means:
* keep some (unimportant) bugs in Bullseye
* publish such version number:
5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1

[Paul Gevers]

Hi Yadd,

On 02-05-2023 10:15, Yadd wrote:
> extracting only CVE patch means:
>  * keep some (unimportant) bugs in Bullseye
>  * publish such version number:
>    5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1

Indeed, both are totally acceptable. Can we have a debdiff please?

Paul

[Graham Inggs]

tags -1 + moreinfo

Hi Yadd

On Wed, 3 May 2023 at 04:51, Yadd <ya...@debian.org> wrote:
> here is the current debdiff (without the big removal of useless
> discoveryjs-json-ext/benchmarks)

I removed the moreinfo tag before realizing this is exactly the same
as the first debdiff.

You seem to have missed this comment:

On Wed, 15 Mar 2023 at 22:15, Paul Gevers <elb...@debian.org> wrote:
> This doesn't look like a targeted fix, but rather seems to include much
> more.
>
> How about reverting and providing a fix only for that CVE please?

Regards
Graham

[Paul Gevers]

control: tags -1 moreinfo

Hi Yadd,

On 29-05-2023 05:58, Yadd wrote:

> On 5/28/23 10:29, Graham Inggs wrote:
>> On Wed, 3 May 2023 at 04:51, Yadd <ya...@debian.org> wrote:
>>> How about reverting and providing a fix only for that CVE please?

> instead of reverting and have a too long version
> (5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload
> to bookworm is allowed, I'm able to push this debdiff.

Please upload this debdiff to unstable ASAP. I'm not aware of
limitations for the version number that you would trigger with that. tpu
is not meant for this purpose (it doesn't have any QA). Mind you, the
closing window for uploads was last weekend, so we're extremely late.
Otherwise we'll have to do this via the security archive or a point
release update.

Paul

[Yadd]

Hi,

I can't upload this debdiff to unstable because version in unstable is
5.76.1+dfsg1+~cs17.16.16-1. If we can't upload to bookworm without using
unstable, let's wait for Debian/12.1.
Else, version would be:
- 5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1
and then later fixes will look like
- 5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1+deb12u1

I don't want to be the author of such version.