deno: fix CVE-2023-28446#225898
Closed
06kellyjac wants to merge 1 commit into
Closed
Conversation
ofborg
Bot
added
11.by: package-maintainer
06kellyjac
added
the
1.severity: security
|
|
||
| cargoPatches = [ | ||
| # resolved in 1.31.2 | ||
| ./CVE-2023-28446_escape_control_chars_backport.patch |
Member
There was a problem hiding this comment.
Can you link the upstream commit? I couldn't find it.
Member
Author
There was a problem hiding this comment.
there is none. this was a backport of the commit linked in the PR description
I can put the original commit as a reference comment
(still waiting on some help from people familiar to adapt the POC to work for older deno to test this patch does work)
Member
Author
|
22.11 is EOL in just under 2 weeks and no one from the Deno community has stepped up to help test this manual backport of this patch so I'm just going to close this I think |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes
Fix GHSA-vq67-rp93-65qf on release channel
Similar to #224804
Can't just pull latest fixed because it would also require pulling in a new copy of rust. That could be an option to pull as a single attribute but that copy of rust only just made it to master.
This fix needed to be adapted from https://github.com/denoland/deno/commit/78d430103a8f6931154ddbbe19d36f3b8630286d.patch to work for the older copy of deno.
Need to adapt the POC (see GH sec advisory) to work for this copy of deno to ensure the issue is fixed.
Sadly no one from deno discord has responded to my request for adapting the POC
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)