Versions in Bionic, Focal and Jammy are vulnerable to CVE-2022-24785 and CVE-2022-31129

The attachment "node-moment_bionic.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Lintian outputs the following warnings for the patched source package in Focal:
W: node-moment source: pkg-js-autopkgtest-test-is-missing debian/tests/pkg-js/test
W: node-moment source: pkg-js-tools-test-is-missing debian/tests/pkg-js/test

Lintian outputs the following warning for the patched source package in Jammy:
W: node-moment source: mismatched-override very-long-line-length-in-source-file src/test/locale/bo.js line length is 606 characters (>512)

Lintian outputs the following warnings for the patched source package in Bionic:
W: node-moment source: vcs-deprecated-in-debian-infrastructure vcs-git https://anonscm.debian.org/git/pkg-javascript/node-moment.git
W: node-moment source: vcs-deprecated-in-debian-infrastructure vcs-browser https://anonscm.debian.org/cgit/pkg-javascript/node-moment.git

Hi Luis,

as part of the sponsoring process, could you please provide executed tests.

In Ubuntu 18.04, running autopkgtest on the patched source package appears not to execute tests.

[Download the source package from the PPA]
$ dpkg-source -x node-moment_2.20.1+ds-1ubuntu0.1.dsc
$ cd node-moment-2.20.1+ds
$ debuild -us -uc
[If there are unmet build dependencies and/or conflicts, install them (or resolve in the case of conflicts) and repeat]
$ cd min
$ sed -Ei '1ivar QUnit = require("qunit");' tests.js
$ node tests.js
[No output means tests pass]

All tests pass on Ubuntu 18.04.

I patched the package for Ubuntu 20.04 such that the upstream test suite runs during the build and fail the build if it fails. This addresses the Lintian warnings.

I did the same for Ubuntu 18.04 and 22.04.

For Ubuntu 22.04 I also addressed an unrelated Lintian warning by removing debian/source/lintian-overrides.

Hi Luis,

It is usually not a good idea (or at least not possible) to enable tests when they were specifically disabled in the debian package. There are many reasons why the package maintainer disabled the tests during build.
Nevertheless, have you tried building those packages in a ppa with the test enabled to see if it still builds?
I see on your ppa that focal and jammy are failing to build with tests enabled, but I do not see bionic there with tests enabled.

The packages for Focal and Jammy now build succesfully in my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates/+packages).

I will upload a new version for Bionic with tests enabled.

The version in Bionic runs tests at build time, but through a different mechanism, in the script debian/run_test_suite, because pkg-js-tools is not available.

Please release the packages.

Thanks Luis, I will be looking into your fixes and update this thread

This bug was fixed in the package node-moment - 2.24.0+ds-2ubuntu0.1

---------------
node-moment (2.24.0+ds-2ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Path traversal (LP: #1982617)
    - debian/patches/CVE-2022-24785.patch: Avoid loading path-looking locales
      from filesystem.
    - CVE-2022-24785
  * SECURITY UPDATE: Denial of service via very long date string (LP: #1982617)
    - debian/patches/CVE-2022-31129.patch: Make a regular expression more
      efficient.
    - CVE-2022-31129
  * debian/control: Add build dependency on libjs-qunit.
  * debian/tests/pkg-js/test: New file that invokes the upstream test suite.
    This addresses the Lintian warnings.

 -- Luís Infante da Câmara <email address hidden> Thu, 04 Aug 2022 07:50:50 +0100

This bug was fixed in the package node-moment - 2.20.1+ds-1ubuntu0.1

---------------
node-moment (2.20.1+ds-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Path traversal (LP: #1982617)
    - debian/patches/CVE-2022-24785.patch: Avoid loading path-looking locales
      from filesystem.
    - CVE-2022-24785
  * SECURITY UPDATE: Denial of service via very long date string (LP: #1982617)
    - debian/patches/CVE-2022-31129.patch: Make a regular expression more
      efficient.
    - CVE-2022-31129
  * debian/control: Add a build dependency on libjs-qunit.
  * debian/rules: Add an override_dh_auto_test target that invokes
    debian/run_test_suite.
  * debian/run_test_suite: New file that invokes the upstream test suite.

 -- Luís Infante da Câmara <email address hidden> Fri, 22 Jul 2022 22:08:31 +0100

This bug was fixed in the package node-moment - 2.29.1+ds-3ubuntu0.2

---------------
node-moment (2.29.1+ds-3ubuntu0.2) jammy-security; urgency=medium

  * SECURITY UPDATE: Path traversal (LP: #1982617)
    - debian/patches/CVE-2022-24785.patch: Avoid loading path-looking locales
      from filesystem.
    - CVE-2022-24785
  * SECURITY UPDATE: Denial of service via very long date string (LP: #1982617)
    - debian/patches/CVE-2022-31129.patch: Make a regular expression more
      efficient.
    - CVE-2022-31129
  * debian/changelog: Add build dependency on libjs-qunit.
  * debian/source/lintian-overrides: Remove, because all overrides are unused
    or mismatched.
  * debian/tests/control: Add dependency on libjs-qunit.
  * debian/tests/pkg-js/test: Do a complete test.

 -- Luís Infante da Câmara <email address hidden> Thu, 04 Aug 2022 09:27:56 +0100