Version in base suite: 7.20.15+ds1+~cs214.269.168-3 Base version: node-babel7_7.20.15+ds1+~cs214.269.168-3 Target version: node-babel7_7.20.15+ds1+~cs214.269.168-3+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-babel7/node-babel7_7.20.15+ds1+~cs214.269.168-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-babel7/node-babel7_7.20.15+ds1+~cs214.269.168-3+deb12u1.dsc changelog | 8 ++++++++ patches/CVE-2023-45133.patch | 39 +++++++++++++++++++++++++++++++++++++++ patches/series | 2 ++ 3 files changed, 49 insertions(+) diff -Nru node-babel7-7.20.15+ds1+~cs214.269.168/debian/changelog node-babel7-7.20.15+ds1+~cs214.269.168/debian/changelog --- node-babel7-7.20.15+ds1+~cs214.269.168/debian/changelog 2023-05-30 08:24:08.000000000 +0000 +++ node-babel7-7.20.15+ds1+~cs214.269.168/debian/changelog 2023-10-13 14:02:05.000000000 +0000 @@ -1,3 +1,11 @@ +node-babel7 (7.20.15+ds1+~cs214.269.168-3+deb12u1) bookworm-security; urgency=medium + + * Team upload + * Only evaluate own String/Number/Math methods + (Closes: #1053880, CVE-2023-45133) + + -- Yadd Fri, 13 Oct 2023 18:02:05 +0400 + node-babel7 (7.20.15+ds1+~cs214.269.168-3) unstable; urgency=medium * Team upload diff -Nru node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/CVE-2023-45133.patch node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/CVE-2023-45133.patch --- node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/CVE-2023-45133.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/CVE-2023-45133.patch 2023-10-13 14:02:05.000000000 +0000 @@ -0,0 +1,39 @@ +Description: Only evaluate own String/Number/Math methods +Author: Nicolò Ribaudo +Origin: upstream, commit:b13376b +Bug: https://github.com/babel/babel/pull/16033 +Bug-Debian: https://bugs.debian.org/1053880 +Forwarded: not-needed +Applied-Upstream: 7.23.2, commit:b13376b +Reviewed-By: Yadd +Last-Update: 2023-10-13 + +--- a/packages/babel-traverse/src/path/evaluation.ts ++++ b/packages/babel-traverse/src/path/evaluation.ts +@@ -443,7 +443,10 @@ + if (type === "string" || type === "number") { + // @ts-ignore todo(flow->ts): consider checking ast node type instead of value type + context = object.node.value; +- func = context[property.node.name]; ++ const key = property.node.name; ++ if (Object.hasOwnProperty.call(context, key)) { ++ func = context[key as keyof typeof context]; ++ } + } + } + } +--- a/packages/babel-traverse/test/evaluation.js ++++ b/packages/babel-traverse/test/evaluation.js +@@ -152,6 +152,12 @@ + expect(eval_invalid_call.confident).toBe(false); + }); + ++ if("should not evaluate inherited methods", function () { ++ const path = getPath("Math.hasOwnProperty('min')"); ++ const evalResult = path.get("body.0.expression").evaluate(); ++ expect(evalResult.confident).toBe(false); ++ }); ++ + it("should not deopt vars in different scope", function () { + const input = + "var a = 5; function x() { var a = 5; var b = a + 1; } var b = a + 2"; diff -Nru node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/series node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/series --- node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/series 2023-05-30 08:16:22.000000000 +0000 +++ node-babel7-7.20.15+ds1+~cs214.269.168/debian/patches/series 2023-10-13 14:02:05.000000000 +0000 @@ -18,3 +18,5 @@ # For standalone only ignore-rollup-warnings-for-standalone.patch fix-for-rollup-3.patch + +CVE-2023-45133.patch