Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-mqtt-packet Hi all, node-mqtt-packet is vulnerable to CVE-2019-5432 (#928673). I imported upstream patch which changes only this on installed files: diff --git a/parser.js b/parser.js --- a/parser.js +++ b/parser.js @@ -302,6 +302,7 @@ Parser.prototype._parseSubscribe = function () { // Parse topic topic = this._parseString() if (topic === null) return this._emitError(new Error('Cannot parse topic')) + if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload')) options = this._parseByte() qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK Full changes: * Add upstream/metadata * Declare compliance with policy 4.3.0 * Fix malformed subscribe crash (Closes: #928673, CVE-2019-5432) * Fix debian/copyright format url * Enable upstream test during build node-mqtt-packet has no reverse dependencies. So I think it is not risky to upgrade Buster package. Cheers, Xavier unblock node-mqtt-packet/6.0.0-2
diff --git a/debian/changelog b/debian/changelog index b52e259..0bd7ec1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +node-mqtt-packet (6.0.0-2) unstable; urgency=medium + + * Team upload + * Add upstream/metadata + * Declare compliance with policy 4.3.0 + * Fix malformed subscribe crash (Closes: #928673, CVE-2019-5432) + * Fix debian/copyright format url + * Enable upstream test during build + + -- Xavier Guimard <y...@debian.org> Wed, 08 May 2019 19:27:08 +0200 + node-mqtt-packet (6.0.0-1) unstable; urgency=low * New upstream release diff --git a/debian/control b/debian/control index 48e32a0..079e795 100644 --- a/debian/control +++ b/debian/control @@ -7,7 +7,13 @@ Build-Depends: debhelper (>= 10) , dh-buildinfo , nodejs -Standards-Version: 4.2.1 + , node-bl + , node-inherits (>= 2.0.3) + , node-safe-buffer (>= 5.1.0) + , node-process-nextick-args (>= 2.0.0) + , node-readable-stream <!nocheck> + , node-tape <!nocheck> +Standards-Version: 4.3.0 Homepage: https://github.com/mqttjs/mqtt-packet Vcs-Git: https://salsa.debian.org/js-team/node-mqtt-packet.git Vcs-Browser: https://salsa.debian.org/js-team/node-mqtt-packet diff --git a/debian/copyright b/debian/copyright index 218888d..8a2fffa 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: mqtt-packet Upstream-Contact: https://github.com/mqttjs/mqtt-packet/issues Source: https://github.com/mqttjs/mqtt-packet diff --git a/debian/patches/CVE-2019-5432.diff b/debian/patches/CVE-2019-5432.diff new file mode 100644 index 0000000..cb45ae6 --- /dev/null +++ b/debian/patches/CVE-2019-5432.diff @@ -0,0 +1,38 @@ +Description: Fix malformed subscribe crash +Author: Alexander Kaiser <alexander.kai...@relayr.de> +Origin: upstream, https://github.com/mqttjs/mqtt-packet/commit/2fdbf0f7d59efc2a4812402d0794711d99704760 +Bug: https://hackerone.com/reports/541354 +Bug-Debian: https://bugs.debian.org/<bugnumber> +Forwarded: not-needed +Last-Update: 2019-05-08 + +--- a/parser.js ++++ b/parser.js +@@ -302,6 +302,7 @@ + // Parse topic + topic = this._parseString() + if (topic === null) return this._emitError(new Error('Cannot parse topic')) ++ if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload')) + + options = this._parseByte() + qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK +--- a/test.js ++++ b/test.js +@@ -1714,6 +1714,17 @@ + 38, 0, 4, 116, 101, 115, 116, 0, 4, 116, 101, 115, 116 // userProperties + ])) + ++// When a Subscribe packet contains a topic_filter and the given ++// length is topic_filter.length + 1 then the last byte (requested QoS) is interpreted as topic_filter ++// reading the requested_qos at the end causes 'Index out of range' read ++testParseError('Malformed Subscribe Payload', Buffer.from([ ++ 130, 14, // subscribe header and remaining length ++ 0, 123, // packet ID ++ 0, 10, // topic filter length ++ 104, 105, 106, 107, 108, 47, 109, 110, 111, // topic filter with length of 9 bytes ++ 0 // requested QoS ++])) ++ + test('stops parsing after first error', function (t) { + t.plan(4) + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..a352227 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2019-5432.diff diff --git a/debian/rules b/debian/rules index de57af0..1ff29b6 100755 --- a/debian/rules +++ b/debian/rules @@ -7,9 +7,7 @@ %: dh $@ -#override_dh_auto_build: - -#override_dh_auto_test: - - - +override_dh_auto_test: +ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES))) + tape test.js +endif diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..c58a86e --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/mqttjs/mqtt-packet/issues +Contact: https://github.com/mqttjs/mqtt-packet/issues +Name: mqtt-packet +Repository: https://github.com/mqttjs/mqtt-packet.git +Repository-Browse: https://github.com/mqttjs/mqtt-packet