Le 23/04/2019 à 07:02, Adam D. Barratt a écrit :
> On Mon, 2019-04-22 at 23:17 +0200, Xavier wrote:
>> Le 22/04/2019 à 20:15, Paul Gevers a écrit :
> [...]
>>> I think your patch seems to be invalid in stretch. When I ran the
>>> autopkgtests in stretch I see the error below, which is exactly the
>>> new code.
> [...]
>> sorry for this error in my tests. Here is a new debdiff (let replaced
>> by var for old nodejs, no consequences here since this variable isn't
>> used somewhere else).
>>
>
> +deb9u1 is already in p-u, so this needs to be a +deb9u2 with a fix on
> top of that, not a replacement +deb9u1.
OK, here is the new one
diff --git a/debian/changelog b/debian/changelog
index 645a574..5fde1b8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-superagent (0.20.0+dfsg-1+deb9u2) stretch; urgency=medium
+
+ * Fix incompatible instruction in CVE-2017-16129 patch
+
+ -- Xavier Guimard <y...@debian.org> Tue, 23 Apr 2019 07:07:07 +0200
+
node-superagent (0.20.0+dfsg-1+deb9u1) stretch; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2017-16129.diff
b/debian/patches/CVE-2017-16129.diff
index c1f700c..bedfe20 100644
--- a/debian/patches/CVE-2017-16129.diff
+++ b/debian/patches/CVE-2017-16129.diff
@@ -13,7 +13,7 @@ Last-Update: 2019-04-18
+ if (buffer) {
+ // Protection against zip bombs and other nuisance
-+ let responseBytesLeft = self._maxResponseSize || 200000000;
++ var responseBytesLeft = self._maxResponseSize || 200000000;
+ res.on('data', function(buf) {
+ responseBytesLeft -= buf.byteLength || buf.length;
+ if (responseBytesLeft < 0) {
