From nobody Wed Sep 13 09:11:07 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rlvnl6Cwdz4shBZ; Wed, 13 Sep 2023 09:11:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Rlvnl5pp4z4HSx; Wed, 13 Sep 2023 09:11:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694596267; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oK4ghe112wlcYzyQgAZZe3gPv/YoVEmCMUqfj/XaBOo=; b=L7er6phoIF9k3W00gRKrO6OIniS7RlgWp1h6kjm7xO9lHejBj20bz6bw9/MAV9jSh/nyGj K/YqZoglT2Bb2cEyDy5jD/2OybW7oJrIiBxE4Yuw252bh8KdNp8ghnw6QTYVHXnxUpoRd+ TB8pbxv5lYdJczRn+8LY4eo9mvF0H/cwT+//2KL8aaXjLO07wBoMnOE1MnuhCIbUjvBYv3 2c4E6zh3WkN5972nXdammtBTU/s0wTkqWHpPW7/UR2WgnKqtEl6srPTz6Iv2pAsVzdhjon aT07IWV+f6vqR+jjXSzHw9rBq8fehWavO4jKY8hdUrht3JKwQwGcxXtdsvsbJQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694596267; a=rsa-sha256; cv=none; b=T5WEc2cIkWX/1gIItIZ/dw6nHUZp8gUinxJ2oq7K3rG2+N/a25xaqOc3TQ5tNbpIKXMhGQ crQiWKo0xeHGzcLdpQfeDimn7sicmyscu4pENQRObfOQLr+rIkuXgs2xM5LwOIHnwkrvDM b2h4pQ/qIo6mpEj5jA0HaJrcZtrf8R2qGJHPXPaeusvRyRbjo+3tAhxAcsB3YSwwl1jkyT agDUFVDg98+yKtbsLYfhBPpqXWB0mLiaXFFmLIqeTkC0/UcR0LPwdNALz4fl3Xr4LTPXaU 0Wn1CMz6lGJ3AQgdkQ7dqwubyL7WMKUgMV3b9Fi+O0vG6Fc1Z4JGk/peZ2m5CQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694596267; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=oK4ghe112wlcYzyQgAZZe3gPv/YoVEmCMUqfj/XaBOo=; b=orHTFI1YYEsUawN8ETvSF0KBBzpvUWz26cudW8YLQiy6wqLAVdNiBK768/xtPgfwF8MYQH sTWWgN6aeBrClKWcJK4AkqzswInG4QBZpFD92/LIDNe0WfgZPIE0sln+q7w1vDrkuvVD5g PT5zy7e4XiA95mxsv/wjQTMpRXLOlWczH3ODyomWIegn9Y6YKD3iVjzO3VBVcK2VujjlYf SQKmjeQsPNvI41mh4myGWMvhNiRAtCuLFINJlxklOioU4mVFLAzdB4YVc6KQl5XUhjQvfY Ak6wtWdjLZ694zcE3k+ZKwrIFTDZrxt1IM0c/7ZMEA8T3G1C5qo+SZcETE8EfQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rlvnl4vZnz17lV; Wed, 13 Sep 2023 09:11:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 38D9B7Sh009609; Wed, 13 Sep 2023 09:11:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 38D9B76j009606; Wed, 13 Sep 2023 09:11:07 GMT (envelope-from git) Date: Wed, 13 Sep 2023 09:11:07 GMT Message-Id: <202309130911.38D9B76j009606@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Hiroki Tagato Subject: git: 296cf69a5074 - main - security/vuxml: document vscode remote code execution vulnerability List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tagattie X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 296cf69a5074b78f23d78d1224375340d126bdad Auto-Submitted: auto-generated The branch main has been updated by tagattie: URL: https://cgit.FreeBSD.org/ports/commit/?id=296cf69a5074b78f23d78d1224375340d126bdad commit 296cf69a5074b78f23d78d1224375340d126bdad Author: Hiroki Tagato AuthorDate: 2023-09-13 09:09:25 +0000 Commit: Hiroki Tagato CommitDate: 2023-09-13 09:09:25 +0000 security/vuxml: document vscode remote code execution vulnerability Obtained from: https://github.com/microsoft/vscode/issues/192906 --- security/vuxml/vuln/2023.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 4899d98e6897..278f7fc243d9 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,32 @@ + + vscode -- VS Code Remote Code Execution Vulnerability + + + vscode + 1.82.1 + + + + +

VSCode developers report:

+
+

Visual Studio Code Remote Code Execution Vulnerability

+

A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.

+

VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.

+
+ + + + CVE-2023-36742 + https://nvd.nist.gov/vuln/detail/CVE-2023-36742 + https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742 + + + 2023-09-12 + 2023-09-13 + + + zeek -- potential DoS vulnerabilities