Skip to content

deno: fix CVE-2023-28446#224804

Merged
marsam merged 1 commit into
NixOS:masterfrom
06kellyjac:deno-patch
Apr 6, 2023
Merged

deno: fix CVE-2023-28446#224804
marsam merged 1 commit into
NixOS:masterfrom
06kellyjac:deno-patch

Conversation

@06kellyjac
Copy link
Copy Markdown
Member

@06kellyjac 06kellyjac commented Apr 5, 2023
edited
Loading

Description of changes

Fix GHSA-vq67-rp93-65qf on unstable with a patch for now until #221462 lands

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@06kellyjac 06kellyjac marked this pull request as draft April 5, 2023 10:02
@ofborg ofborg Bot added 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Apr 5, 2023
@RaitoBezarius RaitoBezarius added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Apr 5, 2023
@06kellyjac 06kellyjac marked this pull request as ready for review April 5, 2023 12:12
@06kellyjac
Copy link
Copy Markdown
Member Author

06kellyjac commented Apr 5, 2023
edited
Loading

cve details:

// Expected Prompt
┌ ⚠️  Deno requests run access to "cat"
├ Requested by `Deno.Command().output()` API
├ Run again with --allow-run to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) >

// Actual Prompt
┌ ⚠️  Deno requests run access to "echo"
├ Requested by `Deno.Command().output()` API
├ Run again with --allow-run to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) >

this build's output:

λ ./result/bin/deno run --unstable cve-2023-28446-poc.ts
┌ ⚠️  Deno requests run access to "cat".
├ Requested by `┌ ⚠️  Deno requests run access to "echo"├ Requested by `Deno.Command().output()` API
├ Run again with --allow-run to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all run permissions) >

Correctly lists cat for the first line. The Requested by section does still show the cheeky string that's trying to modify that first line which could cause some confusion but still good IMO. Will be an improvement from the current build & tide us over until #221462

ocfox
ocfox approved these changes Apr 6, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@ocfox ocfox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ocfox ocfox added the 12.approvals: 1 This PR was reviewed and approved by one person. label Apr 6, 2023
marsam
marsam reviewed Apr 6, 2023
View reviewed changes
Comment thread pkgs/development/web/deno/default.nix Outdated
@marsam marsam merged commit 3cde9b5 into NixOS:master Apr 6, 2023
@06kellyjac 06kellyjac deleted the deno-patch branch April 11, 2023 12:04
@06kellyjac 06kellyjac mentioned this pull request Apr 12, 2023
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@marsam marsam marsam left review comments

@ocfox ocfox ocfox approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@06kellyjac @marsam @ocfox @RaitoBezarius