Your message dated Wed, 30 Jul 2025 21:33:32 +0000
with message-id <[email protected]>
and subject line Re: unblock: node-form-data/4.0.1-2
has caused the Debian Bug report #1110154,
regarding unblock: node-form-data/4.0.1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110154: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110154
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:node-form-data
User: [email protected]
Usertags: unblock
Please unblock package node-form-data
CVE-2025-7783 fix (with a typo in the changelog),
already accepted for bookworm-pu in #1109819.
Other changes are Standards-Version and running more tests,
the latter succeeded in unstable.
unblock node-form-data/4.0.1-2
diffstat for node-form-data-4.0.1 node-form-data-4.0.1
changelog | 10 ++++
clean | 1
control | 2
patches/CVE-2025-7783.patch | 94 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
tests/pkg-js/test | 25 +++++++++++
6 files changed, 131 insertions(+), 2 deletions(-)
diff -Nru node-form-data-4.0.1/debian/changelog
node-form-data-4.0.1/debian/changelog
--- node-form-data-4.0.1/debian/changelog 2024-10-14 13:25:40.000000000
+0300
+++ node-form-data-4.0.1/debian/changelog 2025-07-24 13:45:56.000000000
+0300
@@ -1,3 +1,13 @@
+node-form-data (4.0.1-2) unstable; urgency=medium
+
+ * Team upload
+ * Declare compliance with policy 4.7.2
+ * Fix "Insufficiently Random Values vulnerability"
+ (Closes: #1109551, CVE-2025-778)
+ * Launch more tests
+
+ -- Yadd <[email protected]> Thu, 24 Jul 2025 12:45:56 +0200
+
node-form-data (4.0.1-1) unstable; urgency=medium
* Team upload
diff -Nru node-form-data-4.0.1/debian/clean node-form-data-4.0.1/debian/clean
--- node-form-data-4.0.1/debian/clean 1970-01-01 02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/clean 2025-07-24 12:59:09.000000000 +0300
@@ -0,0 +1 @@
+test/tmp/
diff -Nru node-form-data-4.0.1/debian/control
node-form-data-4.0.1/debian/control
--- node-form-data-4.0.1/debian/control 2024-10-14 13:24:23.000000000 +0300
+++ node-form-data-4.0.1/debian/control 2025-07-24 12:40:38.000000000 +0300
@@ -11,7 +11,7 @@
, node-combined-stream <!nocheck>
, node-formidable <!nocheck>
, node-mime-types <!nocheck>
-Standards-Version: 4.7.0
+Standards-Version: 4.7.2
Vcs-Browser: https://salsa.debian.org/js-team/node-form-data
Vcs-Git: https://salsa.debian.org/js-team/node-form-data.git
Homepage: https://github.com/felixge/node-form-data
diff -Nru node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch
node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch
--- node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch 1970-01-01
02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch 2025-07-24
13:44:45.000000000 +0300
@@ -0,0 +1,94 @@
+Description: Switch to using `crypto` random for boundary values
+Author: Ben Shonaldmann <[email protected]>
+Origin: upstream, https://github.com/form-data/form-data/commit/3d172308
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1109551
+Forwarded: not-needed
+Applied-Upstream: 4.0.4, commit:3d172308
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2025-07-24
+
+--- a/lib/form_data.js
++++ b/lib/form_data.js
+@@ -6,6 +6,7 @@
+ var parseUrl = require('url').parse;
+ var fs = require('fs');
+ var Stream = require('stream').Stream;
++var crypto = require('crypto');
+ var mime = require('mime-types');
+ var asynckit = require('asynckit');
+ var populate = require('./populate.js');
+@@ -347,12 +348,7 @@
+ FormData.prototype._generateBoundary = function() {
+ // This generates a 50 character boundary similar to those used by Firefox.
+ // They are optimized for boyer-moore parsing.
+- var boundary = '--------------------------';
+- for (var i = 0; i < 24; i++) {
+- boundary += Math.floor(Math.random() * 10).toString(16);
+- }
+-
+- this._boundary = boundary;
++ this._boundary = '--------------------------' + crypto.randomUUID();
+ };
+
+ // Note: getLengthSync DOESN'T calculate streams length
+--- /dev/null
++++ b/test/integration/test-boundary-prediction.js
+@@ -0,0 +1,57 @@
++var common = require('../common');
++var assert = common.assert;
++var FormData = require(common.dir.lib + '/form_data');
++var predictV8Randomness = require('predict-v8-randomness');
++
++var initialSequence = [
++ Math.random(),
++ Math.random(),
++ Math.random(),
++ Math.random(),
++];
++var predictor = new predictV8Randomness.Predictor(initialSequence);
++
++predictor.predictNext(24).then(function (next24RandomOutputs) {
++ var predictedBoundary = next24RandomOutputs
++ .map(function (v) {
++ return Math.floor(v * 10).toString(16);
++ })
++ .join('');
++
++ var boundaryIntro = '----------------------------';
++
++ var payload =
++ 'zzz\r\n' +
++ boundaryIntro +
++ predictedBoundary +
++ '\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' +
++ boundaryIntro +
++ predictedBoundary +
++ '--\r\n';
++
++ var FIELDS = {
++ my_field: {
++ value: payload,
++ },
++ };
++
++ // count total
++ var fieldsPassed = Object.keys(FIELDS).length;
++
++ // prepare form-receiving http server
++ var server = common.testFields(FIELDS, function (fields) {
++ fieldsPassed = fields;
++ });
++
++ server.listen(common.port, function () {
++ var form = new FormData();
++
++ common.actions.populateFields(form, FIELDS);
++
++ common.actions.submit(form, server);
++ });
++
++ process.on('exit', function () {
++ assert.strictEqual(fieldsPassed, 0);
++ });
++});
diff -Nru node-form-data-4.0.1/debian/patches/series
node-form-data-4.0.1/debian/patches/series
--- node-form-data-4.0.1/debian/patches/series 1970-01-01 02:00:00.000000000
+0200
+++ node-form-data-4.0.1/debian/patches/series 2025-07-24 12:57:23.000000000
+0300
@@ -0,0 +1 @@
+CVE-2025-7783.patch
diff -Nru node-form-data-4.0.1/debian/tests/pkg-js/test
node-form-data-4.0.1/debian/tests/pkg-js/test
--- node-form-data-4.0.1/debian/tests/pkg-js/test 2024-10-14
13:24:23.000000000 +0300
+++ node-form-data-4.0.1/debian/tests/pkg-js/test 2025-07-24
12:58:58.000000000 +0300
@@ -1 +1,24 @@
-NODE_PATH=debian/tests/test_modules node test/common.js
+for test in \
+ test/common.js \
+ test/static.js \
+ test/integration/test-custom-content-type.js \
+ test/integration/test-submit-multi.js \
+ test/integration/test-errors.js \
+ test/integration/test-custom-headers-object.js \
+ test/integration/test-submit-multi-nocallback.js \
+ test/integration/test-custom-headers-string.js \
+ test/integration/test-submit-https.js \
+ test/integration/test-set-boundary.js \
+ test/integration/test-ranged-filestream.js \
+ test/integration/test-return-http-request.js \
+ test/integration/test-submit-readable-stream.js \
+ test/integration/test-form-get-length-sync.js \
+ test/integration/test-submit-url-parsing.js \
+ test/integration/test-last_boundary-line_break.js \
+ test/integration/test-get-buffer.js \
+ test/integration/test-options-override.js \
+ test/integration/test-to-string.js \
+ test/integration/test-form-get-length.js
+do
+ node $test
+done
--- End Message ---
--- Begin Message ---
Hi,
On Wed, Jul 30, 2025 at 09:07:14PM +0000, Adrian Bunk wrote:
> Please unblock package node-form-data
Unblocked.
> CVE-2025-7783 fix (with a typo in the changelog),
> already accepted for bookworm-pu in #1109819.
Can you update the info in the security tracker for CVE-2025-7783? This
version isn't listed as fixing it (probably due to the typo).
Thanks,
Ivo
--- End Message ---
