Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package node-concat-stream
Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
This was reported in bug https://bugs.debian.org/cgi-
bin/bugreport.cgi?archive=no&bug=863481. This was fixed upstream, and a version
of the fixing commit is included in this version as a patch. The patch has been
tested with the upstream testsuite, which unfortunately has to be disabled as
the testing framework (node-tape) does not exist in testing.
More information can be found in the attached debdiff (between tesing &
unstable), in the patch description.
unblock node-concat-stream/1.5.1-2
-- System Information:
Debian Release: stretch/sid
APT prefers yakkety-updates
APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500,
'yakkety'), (100, 'yakkety-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog
--- node-concat-stream-1.5.1/debian/changelog 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/changelog 2017-05-28 16:19:49.000000000 +0200
@@ -1,3 +1,12 @@
+node-concat-stream (1.5.1-2) unstable; urgency=high
+
+ * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
+ (Closes: #863481)
+ * Use stretch git branch
+ * Use Ubuntu email address
+
+ -- Ross Gammon <ros...@ubuntu.com> Sun, 28 May 2017 16:19:49 +0200
+
node-concat-stream (1.5.1-1) unstable; urgency=low
* Initial release (Closes: #796351)
diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control
--- node-concat-stream-1.5.1/debian/control 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/control 2017-05-28 16:19:49.000000000 +0200
@@ -2,13 +2,13 @@
Section: web
Priority: optional
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
-Uploaders: Ross Gammon <rossgam...@mail.dk>
+Uploaders: Ross Gammon <ros...@ubuntu.com>
Build-Depends: debhelper (>= 9),
dh-buildinfo,
nodejs
Standards-Version: 3.9.6
Homepage: https://github.com/maxogden/concat-stream#readme
-Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git
+Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git
Package: node-concat-stream
diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf
--- node-concat-stream-1.5.1/debian/gbp.conf 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/gbp.conf 2017-05-28 16:19:49.000000000 +0200
@@ -6,7 +6,7 @@
# The default name for the Debian branch is "master".
# Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
# git-import-orig uses the following names for the upstream tags.
# Change the value if you are not using git-import-orig
diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series
--- node-concat-stream-1.5.1/debian/patches/series 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/series 2017-05-28 16:19:49.000000000 +0200
@@ -1 +1,2 @@
readable-stream.patch
+to-string_numbers.patch
diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch
--- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 1970-01-01 01:00:00.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 2017-05-28 16:19:49.000000000 +0200
@@ -0,0 +1,81 @@
+Description: to-string numbers written to the stream
+ Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
+ possible memory disclosure vulnerability exists when a value of type number
+ is provided to the stringConcat() method and results in concatination of
+ uninitialized memory to the stream collection.
+ This is a result of unobstructed use of the Buffer constructor, whose
+ insecure default constructor increases the odds of memory leakage.
+ See https://snyk.io/vuln/npm:concat-stream:20160901 for further details.
+Origin: upstream, https://github.com/maxogden/concat-stream/
+Bug: https://github.com/maxogden/concat-stream/issues/55
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
+Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- node-concat-stream.orig/index.js
++++ node-concat-stream/index.js
+@@ -73,6 +73,10 @@
+ return /Array\]$/.test(Object.prototype.toString.call(arr))
+ }
+
++function isBufferish (p) {
++ return typeof p === 'string' || isArrayish(p) || (p && typeof p.subarray === 'function')
++}
++
+ function stringConcat (parts) {
+ var strings = []
+ var needsToString = false
+@@ -82,8 +86,10 @@
+ strings.push(p)
+ } else if (Buffer.isBuffer(p)) {
+ strings.push(p)
+- } else {
++ } else if (isBufferish(p)) {
+ strings.push(Buffer(p))
++ } else {
++ strings.push(Buffer(String(p)))
+ }
+ }
+ if (Buffer.isBuffer(parts[0])) {
+@@ -101,10 +107,11 @@
+ var p = parts[i]
+ if (Buffer.isBuffer(p)) {
+ bufs.push(p)
+- } else if (typeof p === 'string' || isArrayish(p)
+- || (p && typeof p.subarray === 'function')) {
++ } else if (isBufferish(p)) {
+ bufs.push(Buffer(p))
+- } else bufs.push(Buffer(String(p)))
++ } else {
++ bufs.push(Buffer(String(p)))
++ }
+ }
+ return Buffer.concat(bufs)
+ }
+--- node-concat-stream.orig/test/string.js
++++ node-concat-stream/test/string.js
+@@ -58,7 +58,7 @@
+ var snowman = new Buffer('☃')
+ for (var i = 0; i < 8; i++) {
+ strings.write(snowman.slice(0, 1))
+- strings.write(snowman.slice(1))
++ strings.write(snowman.slice(1))
+ }
+ strings.end()
+ })
+@@ -74,3 +74,14 @@
+ strings.write("dogs")
+ strings.end()
+ })
++
++test('to string numbers', function (t) {
++ var write = concat(function (str) {
++ t.equal(str, 'a1000')
++ t.end()
++ })
++
++ write.write('a')
++ write.write(1000)
++ write.end()
++})
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
