Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-sshpk Hello, I imported upstream patch fo fix #901093, CVE-2018-3737. Here is the full changes: * Enable nocheck build profile * Declare compliance with policy 4.3.0 * Add patch to fix ReDoS when parsing crafted invalid public keys (Closes: #901093, CVE-2018-3737) * Fix VCS fields * Fix debian/copyright format URL * Add descriptions in patches * Add upstream/metadata Reverse dependencies: - node-http-signature +-> node-request +-> node-jsdom +-> node-ytdl-core +-> node-coveralls +-> node-millstone +-> node-matrix-js-sdk +-> node-jsonld +-> node-gyp | | | V +-> npm | +-> npm2deb +-> yarnpkg +-> gitlab Change on installed files is minimalistic: * 2 regexp improvements * a null substitution: - var data = m[2] + m[3]; + var data = m[2] + (m[3] ? m[3] : ''); So I think it is not risky to upgrade node-sshpk. Cheers, Xavier unblock node-sshpk/1.13.1+dfsg-2
diff --git a/debian/changelog b/debian/changelog index edaed62..0cb77bd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +node-sshpk (1.13.1+dfsg-2) unstable; urgency=medium + + * Team upload + + [ Pirate Praveen ] + * Enable nocheck build profile + + [ Xavier Guimard ] + * Declare compliance with policy 4.3.0 + * Add patch to fix ReDoS when parsing crafted invalid public keys + (Closes: #901093, CVE-2018-3737) + * Fix VCS fields + * Fix debian/copyright format URL + * Add descriptions in patches + * Add upstream/metadata + + -- Xavier Guimard <y...@debian.org> Tue, 16 Apr 2019 06:57:20 +0200 + node-sshpk (1.13.1+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 76f60a3..e0eac6f 100644 --- a/debian/control +++ b/debian/control @@ -7,23 +7,23 @@ Build-Depends: debhelper (>= 9) , dh-buildinfo , nodejs - , node-tape - , node-temp - , openssl + , node-tape <!nocheck> + , node-temp <!nocheck> + , openssl <!nocheck> , node-marked-man - , node-sinon - , node-dashdash (>= 1.12.0) - , node-assert-plus (>= 1.0.0) - , node-getpass (>= 0.1.1) - , node-asn1 (>= 0.2.3) - , node-jsbn (>= 0.1.0) - , node-ecc-jsbn (>= 0.1.1) - , node-tweetnacl (>= 0.14.0) - , node-bcrypt-pbkdf (>= 1.0.0) -Standards-Version: 4.1.2 + , node-sinon <!nocheck> + , node-dashdash (>= 1.12.0) <!nocheck> + , node-assert-plus (>= 1.0.0) <!nocheck> + , node-getpass (>= 0.1.1) <!nocheck> + , node-asn1 (>= 0.2.3) <!nocheck> + , node-jsbn (>= 0.1.0) <!nocheck> + , node-ecc-jsbn (>= 0.1.1) <!nocheck> + , node-tweetnacl (>= 0.14.0) <!nocheck> + , node-bcrypt-pbkdf (>= 1.0.0) <!nocheck> +Standards-Version: 4.3.0 Homepage: https://github.com/arekinath/node-sshpk#readme -Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-sshpk.git -Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-sshpk.git +Vcs-Browser: https://salsa.debian.org/js-team/node-sshpk +Vcs-Git: https://salsa.debian.org/js-team/node-sshpk.git Package: node-sshpk Architecture: all diff --git a/debian/copyright b/debian/copyright index 72d1687..24e192f 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: sshpk Upstream-Contact: https://github.com/arekinath/node-sshpk/issues Source: https://github.com/arekinath/node-sshpk#readme @@ -32,4 +32,3 @@ License: Expat ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/debian/patches/CVE-2018-3737.diff b/debian/patches/CVE-2018-3737.diff new file mode 100644 index 0000000..640a8f3 --- /dev/null +++ b/debian/patches/CVE-2018-3737.diff @@ -0,0 +1,63 @@ +Description: Fix CVE-2018-3737 +Author: Xavier Guimard <y...@debian.org> +Origin: https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957 +Bug: https://security-tracker.debian.org/tracker/CVE-2018-3737 +Forwarded: not-needed +Last-Update: 2019-04-16 + +--- a/lib/formats/ssh.js ++++ b/lib/formats/ssh.js +@@ -14,9 +14,9 @@ + var sshpriv = require('./ssh-private'); + + /*JSSTYLED*/ +-var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/; ++var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/; + /*JSSTYLED*/ +-var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/; ++var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/; + + function read(buf, options) { + if (typeof (buf) !== 'string') { +@@ -71,7 +71,7 @@ + * chars from the beginning up to this point in the the string. + * Then offset in this and try to make up for missing = chars. + */ +- var data = m[2] + m[3]; ++ var data = m[2] + (m[3] ? m[3] : ''); + var realOffset = Math.ceil(ret.consumed / 3) * 4; + data = data.slice(0, realOffset - 2). /*JSSTYLED*/ + replace(/[^a-zA-Z0-9+\/=]/g, '') + +--- a/test/horrors.js ++++ b/test/horrors.js +@@ -86,6 +86,30 @@ + t.end(); + }); + ++var KEY_NO_COMMENT = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' + ++ 'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' + ++ 'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c='; ++test('normal key, no comment', function (t) { ++ var k = sshpk.parseKey(KEY_NO_COMMENT, 'ssh'); ++ t.strictEqual(k.type, 'ecdsa'); ++ t.strictEqual(k.fingerprint('sha256').toString(), ++ 'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU'); ++ t.strictEqual(k.comment, '(unnamed)'); ++ t.end(); ++}); ++ ++var KEY_COMMENT_EQ = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' + ++ 'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' + ++ 'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c= abc=def=a\n'; ++test('comment contains =, trailing newline', function (t) { ++ var k = sshpk.parseKey(KEY_COMMENT_EQ, 'ssh'); ++ t.strictEqual(k.type, 'ecdsa'); ++ t.strictEqual(k.fingerprint('sha256').toString(), ++ 'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU'); ++ t.strictEqual(k.comment, 'abc=def=a'); ++ t.end(); ++}); ++ + var KEY_BREAK = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd' + + 'HAyNTYAAABBBK9+hFGVZ9RT61pg8t7\nEGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xypHOH' + + 'Bz0WikK5hYcwTM5YMvnNxuU0h4+c='; diff --git a/debian/patches/disable-npm.patch b/debian/patches/disable-npm.patch index 332afa7..52e2e68 100644 --- a/debian/patches/disable-npm.patch +++ b/debian/patches/disable-npm.patch @@ -1,3 +1,4 @@ +Description: Disable npm --- a/Makefile +++ b/Makefile @@ -44,7 +44,7 @@ diff --git a/debian/patches/series b/debian/patches/series index bf9683c..c156910 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ test-parse-fingerprint.patch disable-npm.patch use-marked-man.patch +CVE-2018-3737.diff diff --git a/debian/patches/use-marked-man.patch b/debian/patches/use-marked-man.patch index 9e996d6..137e56e 100644 --- a/debian/patches/use-marked-man.patch +++ b/debian/patches/use-marked-man.patch @@ -1,3 +1,4 @@ +Description: Use marked man --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ diff --git a/debian/rules b/debian/rules index da3ae59..d6dd17f 100755 --- a/debian/rules +++ b/debian/rules @@ -10,7 +10,9 @@ #override_dh_auto_build: override_dh_auto_test: +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES))) tape test/*.js +endif override_dh_auto_clean: dh_auto_clean diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..599633e --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/arekinath/node-sshpk/issues +Contact: https://github.com/arekinath/node-sshpk/issues +Name: node-sshpk +Repository: https://github.com/arekinath/node-sshpk.git +Repository-Browse: https://github.com/arekinath/node-sshpk