Bug#1036978: marked as done (bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1)

Debian Bug Tracking System Sat, 22 Jul 2023 06:23:44 -0700

Your message dated Sat, 22 Jul 2023 13:19:40 +0000
with message-id <e1qncwk-005rn4...@coccia.debian.org>
and subject line Released with 12.1
has caused the Debian Bug report #1036978,
regarding bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1036978: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036978
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici

[ Reason ]
node-undici is vulnerable to:
 * CVE-2023-23936: "Host" HTTP header isn't protected against CLRF injection
 * CVE-2023-24807: Regex Denial of Service on headers set/append

[ Impact ]
Medium security issues

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, patches are trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just new little checks

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 3a69b63..92c0de8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
+
+  * Fix security issues (Closes: #1031418):
+    - Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936)
+    - Fix potential ReDoS on Headers.set and Headers.append
+      (Closes: CVE-2023-24807)
+  * Increase httpbin.org test timeout
+
+ -- Yadd <y...@debian.org>  Wed, 31 May 2023 15:52:45 +0400
+
 node-undici (5.15.0+dfsg1+~cs20.10.9.3-1) unstable; urgency=medium
 
   * Update standards version to 4.6.2, no changes needed.
diff --git a/debian/patches/CVE-2023-23936.patch 
b/debian/patches/CVE-2023-23936.patch
new file mode 100644
index 0000000..e6fbb0f
--- /dev/null
+++ b/debian/patches/CVE-2023-23936.patch
@@ -0,0 +1,62 @@
+Description: Protect "Host" HTTP header from CLRF injection
+Author: Yadd <y...@debian.org>
+Origin: upstream, https://github.com/nodejs/undici/commit/a2eff054
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:a2eff054
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-05-31
+
+--- a/lib/core/request.js
++++ b/lib/core/request.js
+@@ -299,6 +299,9 @@
+     key.length === 4 &&
+     key.toLowerCase() === 'host'
+   ) {
++    if (headerCharRegex.exec(val) !== null) {
++      throw new InvalidArgumentError(`invalid ${key} header`)
++    }
+     // Consumed by Client
+     request.host = val
+   } else if (
+--- /dev/null
++++ b/test/headers-crlf.js
+@@ -0,0 +1,37 @@
++'use strict'
++
++const { test } = require('tap')
++const { Client } = require('..')
++const { createServer } = require('http')
++const EE = require('events')
++
++test('CRLF Injection in Nodejs ‘undici’ via host', (t) => {
++  t.plan(1)
++
++  const server = createServer(async (req, res) => {
++    res.end()
++  })
++  t.teardown(server.close.bind(server))
++
++  server.listen(0, async () => {
++    const client = new Client(`http://localhost:${server.address().port}`)
++    t.teardown(client.close.bind(client))
++
++    const unsanitizedContentTypeInput =  '12 \r\n\r\naaa:aaa'
++
++    try {
++      const { body } = await client.request({
++        path: '/',
++        method: 'POST',
++        headers: {
++          'content-type': 'application/json',
++          'host': unsanitizedContentTypeInput
++        },
++        body: 'asd'
++      })
++      await body.dump()
++    } catch (err) {
++      t.same(err.code, 'UND_ERR_INVALID_ARG')
++    }
++  })
++})
diff --git a/debian/patches/CVE-2023-24807.patch 
b/debian/patches/CVE-2023-24807.patch
new file mode 100644
index 0000000..986fb16
--- /dev/null
+++ b/debian/patches/CVE-2023-24807.patch
@@ -0,0 +1,46 @@
+Description: fix potential ReDoS on Headers.set and Headers.append
+Author: Rich Trott <rtr...@gmail.com>
+Origin: upstream, https://github.com/nodejs/undici/commit/f2324e54
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:f2324e54
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2023-05-31
+
+--- a/lib/fetch/headers.js
++++ b/lib/fetch/headers.js
+@@ -23,10 +23,12 @@
+   //  To normalize a byte sequence potentialValue, remove
+   //  any leading and trailing HTTP whitespace bytes from
+   //  potentialValue.
+-  return potentialValue.replace(
+-    /^[\r\n\t ]+|[\r\n\t ]+$/g,
+-    ''
+-  )
++
++  // Trimming the end with `.replace()` and a RegExp is typically subject to
++  // ReDoS. This is safer and faster.
++  let i = potentialValue.length
++  while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
++  return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
+ }
+ 
+ function fill (headers, object) {
+--- a/test/fetch/headers.js
++++ b/test/fetch/headers.js
+@@ -665,3 +665,14 @@
+ 
+   t.end()
+ })
++
++tap.test('headers that might cause a ReDoS', (t) => {
++  t.doesNotThrow(() => {
++    // This test will time out if the ReDoS attack is successful.
++    const headers = new Headers()
++    const attack = 'a' + '\t'.repeat(500_000) + '\ta'
++    headers.append('fhqwhgads', attack)
++  })
++
++  t.end()
++})
diff --git a/debian/patches/series b/debian/patches/series
index 3ee774d..ce1440a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,6 @@ fix-typescript.patch
 fix-for-test-tap.patch
 replace-npm-run.patch
 drop-ssl-tests.patch
+CVE-2023-23936.patch
+CVE-2023-24807.patch
+update-httpbin.org-test-timeout.patch
diff --git a/debian/patches/update-httpbin.org-test-timeout.patch 
b/debian/patches/update-httpbin.org-test-timeout.patch
new file mode 100644
index 0000000..f7aceb6
--- /dev/null
+++ b/debian/patches/update-httpbin.org-test-timeout.patch
@@ -0,0 +1,16 @@
+Description: update httpbin.org test timeout
+Author: Yadd <y...@debian.org>
+Forwarded: not-needed
+Last-Update: 2023-05-31
+
+--- a/test/node-fetch/main.js
++++ b/test/node-fetch/main.js
+@@ -1647,7 +1647,7 @@
+   })
+ 
+   it('should allow manual redirect handling', function () {
+-    this.timeout(5000)
++    this.timeout(50000)
+     const url = 'https://httpbin.org/status/302'
+     const options = {
+       redirect: 'manual'

--- End Message ---

--- Begin Message ---
Version: 12.1

The upload requested in this bug has been released as part of 12.1.
--- End Message ---

Bug#1036978: marked as done (bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1)

Reply via email to