[GHSA-m4pq-fv2w-6hrw] Deno's deno_runtime vulnerable to interactive permission prompt spoofing via improper ANSI stripping

[westonsteimel]

Updates

• Affected products

Comments The original advisory does indicate deno_runtime as the package; however, the version constraints do not appear to align with the available versions for deno_runtime since all publised versions for that particular crate are still pre-1.0, so it would seem that perhaps deno would be the better package name to use here given the current version ranges.

Alternatively the version ranges could be updated to reflect the specific versioning for the deno_runtime sub-component, but I wasn't entirely sure how to figure that out

[github]

Hi there @Ry0taK! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[westonsteimel]

Ah, so perhaps the specific range for deno_runtime would be >= 0.103.0, < 0.147.0 by inspecting the following:

• https://github.com/denoland/deno/blob/v1.32.1/runtime/Cargo.toml#L5
• https://github.com/denoland/deno/blob/v1.41.0/runtime/Cargo.toml#L5

I'll await feedback on the preference here. I think keeping it more precise makes sense if that is a reasonable method of extracting the correct versions for deno_runtime from the currently provided deno ranges

[shelbyc]

@westonsteimel Thank you for your research into which versions of deno_runtime correspond to versions 1.32.1 and 1.41.0 of deno! I agree that setting the vulnerable version range of deno_runtime to >= 0.103.0, < 0.147.0 makes sense. I'm also willing to include deno >= 1.32.1, < 1.41.0 if @Ry0taK agrees that it makes sense to include both.

[Ry0taK]

@westonsteimel Thank you for making this pull request!

@shelbyc I believe that version range makes sense, but I'd like to hear an opinion from @mmastrac, who handled this advisory on the Deno-side

[mmastrac]

Apologies, I'm no longer at Deno and I've swapped the context on this report out. I suspect the version ranges were for the deno release itself. Unsure why deno_runtime was the component here.

[Ry0taK]

I see, I think it makes sense to update the version ranges/affected components then. I can update the original advisory on the denoland/deno repository if needed!

[advisory-database[bot]]

Hi @westonsteimel! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[shelbyc]

Happy Monday, everyone! I've changed the affected products and vulnerable version ranges to the following:

• Affected product deno, vulnerable version range >= 1.32.1, < 1.41.0
• Affected product deno_runtime, vulnerable version range >= 0.103.0, < 0.147.0

Please let me know if this is not correct and the affected products or VVRs require further changes. 👍

@mmastrac With respect to Unsure why deno_runtime was the component here., I believe https://github.com/denoland/deno/commit/7e6b94231290020b55f1d08fb03ea8132781abc5 is the fix commit for GHSA-m4pq-fv2w-6hrw. One of the files changed is runtime/permissions/prompter.rs, which falls under the folder corresponding to the deno_runtime package listed here: https://github.com/denoland/deno/blob/7e6b94231290020b55f1d08fb03ea8132781abc5/runtime/Cargo.toml

@Ry0taK If I didn't correctly explain why deno_runtime is listed as the affected component, I am open to hearing the correct information.

[Ry0taK]

@shelbyc Thank you! I believe that is the correct information, and I've updated the original advisory on the denoland/deno repository as well!