Version in base suite: 7.12.12+~cs150.141.84-6 Base version: node-babel7_7.12.12+~cs150.141.84-6 Target version: node-babel7_7.12.12+~cs150.141.84-6+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-babel7/node-babel7_7.12.12+~cs150.141.84-6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-babel7/node-babel7_7.12.12+~cs150.141.84-6+deb11u1.dsc changelog | 6 ++++++ nodejs/extcopies | 1 - patches/CVE-2023-45133.patch | 24 ++++++++++++++++++++++++ patches/series | 1 + rules | 1 + 5 files changed, 32 insertions(+), 1 deletion(-) diff -Nru node-babel7-7.12.12+~cs150.141.84/debian/changelog node-babel7-7.12.12+~cs150.141.84/debian/changelog --- node-babel7-7.12.12+~cs150.141.84/debian/changelog 2021-02-03 05:31:56.000000000 +0000 +++ node-babel7-7.12.12+~cs150.141.84/debian/changelog 2023-10-13 14:25:57.000000000 +0000 @@ -1,3 +1,9 @@ +node-babel7 (7.12.12+~cs150.141.84-6+deb11u1) bullseye-security; urgency=medium + + * Only evaluate own String/Number/Math methods (Closes: #1053880, CVE-2023-45133) + + -- Yadd Fri, 13 Oct 2023 18:25:57 +0400 + node-babel7 (7.12.12+~cs150.141.84-6) unstable; urgency=medium * Team upload diff -Nru node-babel7-7.12.12+~cs150.141.84/debian/nodejs/extcopies node-babel7-7.12.12+~cs150.141.84/debian/nodejs/extcopies --- node-babel7-7.12.12+~cs150.141.84/debian/nodejs/extcopies 2021-01-05 05:24:21.000000000 +0000 +++ node-babel7-7.12.12+~cs150.141.84/debian/nodejs/extcopies 2023-10-13 14:25:57.000000000 +0000 @@ -2,6 +2,5 @@ rollup-plugin-node-polyfills to-fast-properties @types/lodash -@types/node unicode-match-property-ecmascript unicode-match-property-value-ecmascript diff -Nru node-babel7-7.12.12+~cs150.141.84/debian/patches/CVE-2023-45133.patch node-babel7-7.12.12+~cs150.141.84/debian/patches/CVE-2023-45133.patch --- node-babel7-7.12.12+~cs150.141.84/debian/patches/CVE-2023-45133.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-babel7-7.12.12+~cs150.141.84/debian/patches/CVE-2023-45133.patch 2023-10-13 14:25:57.000000000 +0000 @@ -0,0 +1,24 @@ +Description: Only evaluate own String/Number/Math methods +Author: Nicolò Ribaudo +Origin: upstream, commit:b13376b +Bug: https://github.com/babel/babel/pull/16033 +Bug-Debian: https://bugs.debian.org/1053880 +Forwarded: not-needed +Applied-Upstream: 7.23.2, commit:b13376b +Reviewed-By: Yadd +Last-Update: 2023-10-13 + +--- a/packages/babel-traverse/src/path/evaluation.js ++++ b/packages/babel-traverse/src/path/evaluation.js +@@ -358,7 +358,10 @@ + INVALID_METHODS.indexOf(property.node.name) < 0 + ) { + context = global[object.node.name]; +- func = context[property.node.name]; ++ const key = property.node.name; ++ if (Object.hasOwnProperty.call(context, key)) { ++ func = context[key]; ++ } + } + + // "abc".charCodeAt(4) diff -Nru node-babel7-7.12.12+~cs150.141.84/debian/patches/series node-babel7-7.12.12+~cs150.141.84/debian/patches/series --- node-babel7-7.12.12+~cs150.141.84/debian/patches/series 2021-01-05 08:52:03.000000000 +0000 +++ node-babel7-7.12.12+~cs150.141.84/debian/patches/series 2023-10-13 14:25:57.000000000 +0000 @@ -8,3 +8,4 @@ remove-useless-dependency.patch ignore-one-missing-ts-definition.patch update-rollup-and-babel-paths.patch +CVE-2023-45133.patch diff -Nru node-babel7-7.12.12+~cs150.141.84/debian/rules node-babel7-7.12.12+~cs150.141.84/debian/rules --- node-babel7-7.12.12+~cs150.141.84/debian/rules 2021-02-03 05:31:24.000000000 +0000 +++ node-babel7-7.12.12+~cs150.141.84/debian/rules 2023-10-13 14:25:57.000000000 +0000 @@ -18,6 +18,7 @@ ifeq (,$(filter pkg.node-babel7.yarnpkg,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES))) #rm -f node_modules/@babel/code-frame #rm -f node_modules/@babel/preset-modules + cp -a /usr/share/nodejs/@types/node ./node_modules/@types mv node_modules/@babel node_modules/.babel mkdir node_modules/@babel ln -s /usr/share/nodejs/@babel/runtime node_modules/@babel/