Your message dated Thu, 01 May 2025 09:35:33 +0000
with message-id <[email protected]>
and subject line Bug#922075: fixed in nodejs 20.19.0+dfsg1-1
has caused the Debian Bug report #922075,
regarding npm: segfault during extract on i386 (CVE-2025-47153)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
922075: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922075
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: npm
Version: 5.8.0+ds6-3
Severity: normal
I get a repeatable segfault from npm install by doing the following on
i386 (deleting the local .npm and node_modules dirs is not needed to
reproduce).
-*-
$ rm -rf .npm/
$ rm -rf node_modules/
$ npm --verbose install [email protected]
npm info it worked if it ends with ok
npm WARN npm npm does not support Node.js v10.15.1
npm WARN npm You should probably upgrade to a newer version of node as we
npm WARN npm can't make any promises that npm will work with this version.
npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7,
8, 9.
npm WARN npm You can find the latest version at https://nodejs.org/
npm verb cli [ '/usr/bin/node',
npm verb cli '/usr/bin/npm',
npm verb cli '--verbose',
npm verb cli 'install',
npm verb cli '[email protected]' ]
npm info using [email protected]
npm info using [email protected]
npm verb config Skipping project config: /home/tpikonen/.npmrc. (matches
userconfig)
npm verb npm-session 07474421384f9f89
npm http fetch GET 200 https://registry.npmjs.org/electron-spellchecker 259ms
npm http fetch GET 200 https://registry.npmjs.org/bcp47 118ms
npm http fetch GET 200 https://registry.npmjs.org/debug 189ms
npm http fetch GET 200 https://registry.npmjs.org/electron-remote 192ms
npm http fetch GET 200 https://registry.npmjs.org/@paulcbetts%2fcld 227ms
npm http fetch GET 200 https://registry.npmjs.org/keyboard-layout 227ms
npm http fetch GET 200 https://registry.npmjs.org/spawn-rx 104ms
npm http fetch GET 200 https://registry.npmjs.org/pify 241ms
npm http fetch GET 200 https://registry.npmjs.org/lru-cache 247ms
npm http fetch GET 200 https://registry.npmjs.org/@paulcbetts%2fspellchecker
258ms
npm http fetch GET 200 https://registry.npmjs.org/debug/-/debug-2.6.9.tgz 97ms
npm http fetch GET 200 https://registry.npmjs.org/rxjs-serial-subscription 321ms
npm http fetch GET 200 https://registry.npmjs.org/pify/-/pify-2.3.0.tgz 100ms
npm http fetch GET 200 https://registry.npmjs.org/rxjs 421ms
npm http fetch GET 200
https://registry.npmjs.org/spawn-rx/-/spawn-rx-2.0.12.tgz 204ms
npm http fetch GET 200 https://registry.npmjs.org/underscore 51ms
npm http fetch GET 200 https://registry.npmjs.org/glob 54ms
npm http fetch GET 200 https://registry.npmjs.org/ms 35ms
npm http fetch GET 200 https://registry.npmjs.org/ms/-/ms-2.0.0.tgz 42ms
npm http fetch GET 200 https://registry.npmjs.org/lodash.get 51ms
npm http fetch GET 200 https://registry.npmjs.org/xmlhttprequest 57ms
npm http fetch GET 200 https://registry.npmjs.org/hashids 68ms
npm http fetch GET 200 https://registry.npmjs.org/symbol-observable 33ms
npm http fetch GET 200 https://registry.npmjs.org/nan 49ms
npm http fetch GET 200 https://registry.npmjs.org/event-kit 59ms
npm http fetch GET 200 https://registry.npmjs.org/yallist 36ms
npm http fetch GET 200 https://registry.npmjs.org/pseudomap 43ms
npm http fetch GET 200 https://registry.npmjs.org/yallist/-/yallist-2.1.2.tgz
36ms
npm http fetch GET 200 https://registry.npmjs.org/lodash.assign 39ms
npm verb correctMkdir /home/tpikonen/.npm/_locks correctMkdir not in flight;
initializing
npm verb makeDirectory /home/tpikonen/.npm/_locks creation not in flight;
initializing
npm verb lock using /home/tpikonen/.npm/_locks/staging-1ec0d591837db4e7.lock
for /home/tpikonen/node_modules/.staging
npm http fetch GET 200 https://registry.npmjs.org/hashids/-/hashids-1.2.2.tgz
316ms
npm http fetch GET 200
https://registry.npmjs.org/pseudomap/-/pseudomap-1.0.2.tgz 313ms
npm http fetch GET 200
https://registry.npmjs.org/event-kit/-/event-kit-2.5.3.tgz 320ms
npm http fetch GET 200
https://registry.npmjs.org/lodash.get/-/lodash.get-4.4.2.tgz 316ms
npm http fetch GET 200
https://registry.npmjs.org/symbol-observable/-/symbol-observable-1.0.1.tgz 322ms
npm WARN tar write after end
npm http fetch GET 200
https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz 497ms
Segmentation fault.] / extract:brace-expansion: sill extract
[email protected] extracted to
/home/tpikonen/node_modules/.staging/brace-expansion-3f1cd090
-*-
On repeated runs the package being extracted is not always the same, but
the segfault happens when the first package is extracted.
This bug is probably not in npm, but in the interpreter. I'll let you
sort that out though.
Here's my /proc/cpuinfo for reference:
processor : 1
vendor_id : GenuineIntel
cpu family : 6
model : 15
model name : Intel(R) Core(TM)2 CPU T7400 @ 2.16GHz
stepping : 6
microcode : 0xc7
cpu MHz : 1333.000
cache size : 4096 KB
physical id : 0
siblings : 2
core id : 1
cpu cores : 2
apicid : 1
initial apicid : 1
fdiv_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 10
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm
constant_tsc arch_perfmon pebs bts aperfmperf pni dtes64 monitor ds_cpl
vmx est tm2 ssse3 cx16 xtpr pdcm lahf_lm tpr_shadow dtherm
bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass l1tf
bogomips : 4322.57
clflush size : 64
cache_alignment : 64
address sizes : 36 bits physical, 48 bits virtual
power management:
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 4.9.0-8-686-pae (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages npm depends on:
ii ca-certificates 20190110
ii node-abbrev 1.1.1-1
ii node-ansi 0.3.0-2
ii node-ansi-regex 3.0.0-1
ii node-ansistyles 0.1.3-1
ii node-aproba 1.2.0-1
ii node-archy 1.0.0-1
ii node-bluebird 3.5.1+dfsg2-2
ii node-boxen 1.2.2-1
ii node-cacache 11.3.2-2
ii node-call-limit 1.1.0-1
ii node-chownr 1.1.1-1
ii node-config-chain 1.1.11-1
ii node-detect-indent 5.0.0-1
ii node-detect-newline 2.1.0-1
ii node-editor 1.0.0-1
ii node-encoding 0.1.12-2
ii node-errno 0.1.4-1
ii node-from2 2.3.0-1
ii node-fs-vacuum 1.2.10-2
ii node-fs-write-stream-atomic 1.0.10-4
ii node-glob 7.1.3-2
ii node-graceful-fs 4.1.11-1
ii node-gyp 3.8.0-4
ii node-has-unicode 2.0.1-2
ii node-hosted-git-info 2.7.1-1
ii node-iferr 1.0.2-1
ii node-import-lazy 3.0.0.REALLY.2.1.0-1
ii node-inflight 1.0.6-1
ii node-inherits 2.0.3-1
ii node-ini 1.3.5-1
ii node-is-npm 1.0.0-1
ii node-json-parse-better-errors 1.0.2-2
ii node-jsonstream 1.3.2-1
ii node-latest-version 3.1.0-1
ii node-lazy-property 1.0.0-3
ii node-libnpx 10.2.0-2
ii node-lockfile 1.0.4-1
ii node-lru-cache 5.1.1-3
ii node-mississippi 3.0.0-1
ii node-mkdirp 0.5.1-1
ii node-move-concurrently 1.0.1-2
ii node-nopt 3.0.6-3
ii node-normalize-package-data 2.4.0-1
ii node-npm-package-arg 6.0.0-2
ii node-npmlog 4.1.2-1
ii node-once 1.4.0-3
ii node-opener 1.4.3-1
ii node-osenv 0.1.5-1
ii node-path-is-inside 1.0.2-1
ii node-promise-inflight 1.0.1-1
ii node-promzard 0.3.0-1
ii node-qw 1.0.1-1
ii node-read 1.0.7-1
ii node-read-package-json 2.0.13-1
ii node-request 2.88.1-2
ii node-resolve-from 4.0.0-1
ii node-retry 0.10.1-1
ii node-rimraf 2.6.2-1
ii node-safe-buffer 5.1.2-1
ii node-semver 5.5.1-1
ii node-semver-diff 2.1.0-2
ii node-sha 2.0.1-1
ii node-slide 1.1.6-2
ii node-sorted-object 2.0.1-1
ii node-ssri 5.2.4-2
ii node-stream-iterate 1.2.0-4
ii node-strip-ansi 4.0.0-1
ii node-tar 4.4.6+ds1-3
ii node-text-table 0.2.0-2
ii node-uid-number 0.0.6-1
ii node-unique-filename 1.1.0+ds-2
ii node-unpipe 1.0.0-1
ii node-validate-npm-package-name 3.0.0-1
ii node-which 1.3.0-2
ii node-wrappy 1.0.2-1
ii node-write-file-atomic 2.3.0-1
ii node-xdg-basedir 3.0.0-1
ii nodejs 10.15.1~dfsg-2
npm recommends no packages.
npm suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: nodejs
Source-Version: 20.19.0+dfsg1-1
Done: Jérémy Lal <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <[email protected]> (supplier of updated nodejs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 01 May 2025 11:09:56 +0200
Source: nodejs
Architecture: source
Version: 20.19.0+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Jérémy Lal <[email protected]>
Closes: 922075 1076350
Changes:
nodejs (20.19.0+dfsg1-1) unstable; urgency=medium
.
* New repackaged upstream tarball includes deps/uv.
* Add missing changelogs to nodejs-doc
* Lintian: old-fsf-address-in-copyright-file
* watch: fix ada url to actually get current version
* copyright: document deps/uv
* Build bundled libuv on i386 architecture to fix CVE-2025-47153.
Closes: #922075, #1076350,
Checksums-Sha1:
439fffc35932c87ef3df7e2ad7799605736735e7 4391 nodejs_20.19.0+dfsg1-1.dsc
36d594cccc87915a298fccaa4f30843f6a7af2ec 274900
nodejs_20.19.0+dfsg1.orig-ada.tar.xz
4685a4731de0572faf85557a03c73b517c61ee7e 302416
nodejs_20.19.0+dfsg1.orig-types-node.tar.xz
f95c375504a37d9fcda562adc5ed64dec50b74b6 19899220
nodejs_20.19.0+dfsg1.orig.tar.xz
2e304613ebb394c662978bb113bc75bab514e2c7 158884
nodejs_20.19.0+dfsg1-1.debian.tar.xz
643b351d4fdd13935849a1a5b8c7bc7ce6e1f54c 10688
nodejs_20.19.0+dfsg1-1_source.buildinfo
Checksums-Sha256:
a0e11e0550d2b43ceb0461437f4a31f3442844c13b7f7852b0ed66964ed947bd 4391
nodejs_20.19.0+dfsg1-1.dsc
26deff017c505b316f2498aaf293c896f4ab92b5349b367cf21fe14fa2cbd1e1 274900
nodejs_20.19.0+dfsg1.orig-ada.tar.xz
65900324d2dda4d59ff1878c030224b0f293a6a4fb65af9369bb2b3784335e73 302416
nodejs_20.19.0+dfsg1.orig-types-node.tar.xz
4f36b18aa3ef2b17d30fb52f6f4cb91592949e9d7473590863f6646f55eab939 19899220
nodejs_20.19.0+dfsg1.orig.tar.xz
4e46ead4e101782ad765f2dcaacaaf35a5d61bcf4e9225fbbbb0baecc482a85b 158884
nodejs_20.19.0+dfsg1-1.debian.tar.xz
fc05efcc9889bd3439a1f03b082fea429455f07d2db0e33e319e3e88323a2372 10688
nodejs_20.19.0+dfsg1-1_source.buildinfo
Files:
ce5389646e67b755a12d322bc055f8df 4391 javascript optional
nodejs_20.19.0+dfsg1-1.dsc
fd9ff3be8b8b43905dd24c5af24aab16 274900 javascript optional
nodejs_20.19.0+dfsg1.orig-ada.tar.xz
c6a9ccfd7bbd95365b6b843ed20f5b38 302416 javascript optional
nodejs_20.19.0+dfsg1.orig-types-node.tar.xz
344a4ff18346ae817e1a9e2d5ff3ad82 19899220 javascript optional
nodejs_20.19.0+dfsg1.orig.tar.xz
8203423444d5be08f22fd02df51c2a4b 158884 javascript optional
nodejs_20.19.0+dfsg1-1.debian.tar.xz
456bf3a1806c2f18c1231f264b7dc3df 10688 javascript optional
nodejs_20.19.0+dfsg1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmgTOpYSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN02HkP/R3P2g+zTCDZrB7MrfwMn8DO1zL27H9a
NkH5+8SUYcnVuIczcLaW9aWfqT6+Oot6Lr/W2T24Rphd/nwbHkpyUI7GCAfWhifa
NHE0ckb7V3yeqVRS+pF9J4rwdyFWftt6/+nrRMU/dtBdQ4fRCYME6A36K33xttE2
iHpWfGEktWLhTEyxzd+D5um1rJ72FQ/05lQFsTPqntH8RHaLa4e2KEqvMcID9p8T
bNrRu4iYY2/3oc6NIcBIqFN01L4XcGERM8xwe91U5uwV8+KjONdx6Aem7M6kXEvt
vZu5TBx9uK+KeM2hzMvH1CBXJSavSfptpnr8v7KPBmtbSPgjJh2yww9Wz3lFc5FL
nN/Yan4kSUWHcCK8CUfVwAaaq/IBJZ/Qi02TLw9bwF248g/MXyS6MQLpbfXoY4ll
UD20oAcoNPb+Jhixeo8xY6IqM5vWq7Xuh+rKPEFVrCs4NMcVGw9WMDk5GRsne2FO
UjyNNDdPf8FdydMiaDzyH/V8IP8ppwl2g8g+2Jbe+4e2fA5inrtU5d/Zk/iNKr8E
jdwvt3BomLRujUto0pDLa0rrlHL/W/WiW+rGHASr8FQRClBlUJKRF5FrK1TBFlN+
C/dowHX2tFHt1rxhMGJ/TvwUozarvXHhAdpDHryQp3DA869+x04JSDDcUEwbmnoR
asTNoQDS7aWx
=LgeN
-----END PGP SIGNATURE-----
pgpTNLguTmgxX.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
