Bug#927192: unblock: node-sshpk/1.13.1+dfsg-2

Mon, 15 Apr 2019 22:24:37 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package node-sshpk

Hello,

I imported upstream patch fo fix #901093, CVE-2018-3737. Here is the
full changes:
  * Enable nocheck build profile
  * Declare compliance with policy 4.3.0
  * Add patch to fix ReDoS when parsing crafted invalid public keys
    (Closes: #901093, CVE-2018-3737)
  * Fix VCS fields
  * Fix debian/copyright format URL
  * Add descriptions in patches
  * Add upstream/metadata

Reverse dependencies:
 - node-http-signature
   +-> node-request
       +-> node-jsdom
       +-> node-ytdl-core
       +-> node-coveralls
       +-> node-millstone
       +-> node-matrix-js-sdk
       +-> node-jsonld
       +-> node-gyp
       |    |
       |    V
       +-> npm
       |    +-> npm2deb
       +-> yarnpkg
            +-> gitlab

Change on installed files is minimalistic:
 * 2 regexp improvements
 * a null substitution:
    - var data = m[2] + m[3];
    + var data = m[2] + (m[3] ? m[3] : '');

So I think it is not risky to upgrade node-sshpk.

Cheers,
Xavier

unblock node-sshpk/1.13.1+dfsg-2

diff --git a/debian/changelog b/debian/changelog
index edaed62..0cb77bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+node-sshpk (1.13.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload
+
+  [ Pirate Praveen ]
+  * Enable nocheck build profile
+
+  [ Xavier Guimard ]
+  * Declare compliance with policy 4.3.0
+  * Add patch to fix ReDoS when parsing crafted invalid public keys
+    (Closes: #901093, CVE-2018-3737)
+  * Fix VCS fields
+  * Fix debian/copyright format URL
+  * Add descriptions in patches
+  * Add upstream/metadata
+
+ -- Xavier Guimard <y...@debian.org>  Tue, 16 Apr 2019 06:57:20 +0200
+
 node-sshpk (1.13.1+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 76f60a3..e0eac6f 100644
--- a/debian/control
+++ b/debian/control
@@ -7,23 +7,23 @@ Build-Depends:
  debhelper (>= 9)
  , dh-buildinfo
  , nodejs
- , node-tape
- , node-temp
- , openssl
+ , node-tape <!nocheck>
+ , node-temp <!nocheck>
+ , openssl <!nocheck>
  , node-marked-man
- , node-sinon
- , node-dashdash (>= 1.12.0)
- , node-assert-plus (>= 1.0.0)
- , node-getpass (>= 0.1.1)
- , node-asn1 (>= 0.2.3)
- , node-jsbn (>= 0.1.0)
- , node-ecc-jsbn (>= 0.1.1)
- , node-tweetnacl (>= 0.14.0)
- , node-bcrypt-pbkdf (>= 1.0.0)
-Standards-Version: 4.1.2
+ , node-sinon <!nocheck>
+ , node-dashdash (>= 1.12.0) <!nocheck>
+ , node-assert-plus (>= 1.0.0) <!nocheck>
+ , node-getpass (>= 0.1.1) <!nocheck>
+ , node-asn1 (>= 0.2.3) <!nocheck>
+ , node-jsbn (>= 0.1.0) <!nocheck>
+ , node-ecc-jsbn (>= 0.1.1) <!nocheck>
+ , node-tweetnacl (>= 0.14.0) <!nocheck>
+ , node-bcrypt-pbkdf (>= 1.0.0) <!nocheck>
+Standards-Version: 4.3.0
 Homepage: https://github.com/arekinath/node-sshpk#readme
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-sshpk.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-sshpk.git
+Vcs-Browser: https://salsa.debian.org/js-team/node-sshpk
+Vcs-Git: https://salsa.debian.org/js-team/node-sshpk.git
 
 Package: node-sshpk
 Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 72d1687..24e192f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: sshpk
 Upstream-Contact: https://github.com/arekinath/node-sshpk/issues
 Source: https://github.com/arekinath/node-sshpk#readme
@@ -32,4 +32,3 @@ License: Expat
  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  SOFTWARE.
-
diff --git a/debian/patches/CVE-2018-3737.diff 
b/debian/patches/CVE-2018-3737.diff
new file mode 100644
index 0000000..640a8f3
--- /dev/null
+++ b/debian/patches/CVE-2018-3737.diff
@@ -0,0 +1,63 @@
+Description: Fix CVE-2018-3737
+Author: Xavier Guimard <y...@debian.org>
+Origin: 
https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
+Bug: https://security-tracker.debian.org/tracker/CVE-2018-3737
+Forwarded: not-needed
+Last-Update: 2019-04-16
+
+--- a/lib/formats/ssh.js
++++ b/lib/formats/ssh.js
+@@ -14,9 +14,9 @@
+ var sshpriv = require('./ssh-private');
+ 
+ /*JSSTYLED*/
+-var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n 
\t]+([^\n]+))?$/;
++var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ 
\t][^\n]*[\n]*)?)?$/;
+ /*JSSTYLED*/
+-var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/;
++var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ 
\t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/;
+ 
+ function read(buf, options) {
+       if (typeof (buf) !== 'string') {
+@@ -71,7 +71,7 @@
+                * chars from the beginning up to this point in the the string.
+                * Then offset in this and try to make up for missing = chars.
+                */
+-              var data = m[2] + m[3];
++              var data = m[2] + (m[3] ? m[3] : '');
+               var realOffset = Math.ceil(ret.consumed / 3) * 4;
+               data = data.slice(0, realOffset - 2). /*JSSTYLED*/
+                   replace(/[^a-zA-Z0-9+\/=]/g, '') +
+--- a/test/horrors.js
++++ b/test/horrors.js
+@@ -86,6 +86,30 @@
+       t.end();
+ });
+ 
++var KEY_NO_COMMENT = 'ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
++    
'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
++    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c=';
++test('normal key, no comment', function (t) {
++      var k = sshpk.parseKey(KEY_NO_COMMENT, 'ssh');
++      t.strictEqual(k.type, 'ecdsa');
++      t.strictEqual(k.fingerprint('sha256').toString(),
++          'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
++      t.strictEqual(k.comment, '(unnamed)');
++      t.end();
++});
++
++var KEY_COMMENT_EQ = 'ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
++    
'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
++    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c= abc=def=a\n';
++test('comment contains =, trailing newline', function (t) {
++      var k = sshpk.parseKey(KEY_COMMENT_EQ, 'ssh');
++      t.strictEqual(k.type, 'ecdsa');
++      t.strictEqual(k.fingerprint('sha256').toString(),
++          'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
++      t.strictEqual(k.comment, 'abc=def=a');
++      t.end();
++});
++
+ var KEY_BREAK = 'ecdsa-sha2-nistp256 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd' +
+     
'HAyNTYAAABBBK9+hFGVZ9RT61pg8t7\nEGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xypHOH' +
+     'Bz0WikK5hYcwTM5YMvnNxuU0h4+c=';
diff --git a/debian/patches/disable-npm.patch b/debian/patches/disable-npm.patch
index 332afa7..52e2e68 100644
--- a/debian/patches/disable-npm.patch
+++ b/debian/patches/disable-npm.patch
@@ -1,3 +1,4 @@
+Description: Disable npm
 --- a/Makefile
 +++ b/Makefile
 @@ -44,7 +44,7 @@
diff --git a/debian/patches/series b/debian/patches/series
index bf9683c..c156910 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 test-parse-fingerprint.patch
 disable-npm.patch
 use-marked-man.patch
+CVE-2018-3737.diff
diff --git a/debian/patches/use-marked-man.patch 
b/debian/patches/use-marked-man.patch
index 9e996d6..137e56e 100644
--- a/debian/patches/use-marked-man.patch
+++ b/debian/patches/use-marked-man.patch
@@ -1,3 +1,4 @@
+Description: Use marked man
 --- a/Makefile
 +++ b/Makefile
 @@ -18,7 +18,7 @@
diff --git a/debian/rules b/debian/rules
index da3ae59..d6dd17f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,7 +10,9 @@
 #override_dh_auto_build:
 
 override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
        tape test/*.js
+endif
 
 override_dh_auto_clean:
        dh_auto_clean
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..599633e
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/arekinath/node-sshpk/issues
+Contact: https://github.com/arekinath/node-sshpk/issues
+Name: node-sshpk
+Repository: https://github.com/arekinath/node-sshpk.git
+Repository-Browse: https://github.com/arekinath/node-sshpk

Reply via email to