Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-concat-stream Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201). This was reported in bug https://bugs.debian.org/cgi- bin/bugreport.cgi?archive=no&bug=863481. This was fixed upstream, and a version of the fixing commit is included in this version as a patch. The patch has been tested with the upstream testsuite, which unfortunately has to be disabled as the testing framework (node-tape) does not exist in testing. More information can be found in the attached debdiff (between tesing & unstable), in the patch description. unblock node-concat-stream/1.5.1-2 -- System Information: Debian Release: stretch/sid APT prefers yakkety-updates APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500, 'yakkety'), (100, 'yakkety-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog --- node-concat-stream-1.5.1/debian/changelog 2015-11-08 17:03:58.000000000 +0100 +++ node-concat-stream-1.5.1/debian/changelog 2017-05-28 16:19:49.000000000 +0200 @@ -1,3 +1,12 @@ +node-concat-stream (1.5.1-2) unstable; urgency=high + + * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201 + (Closes: #863481) + * Use stretch git branch + * Use Ubuntu email address + + -- Ross Gammon <ros...@ubuntu.com> Sun, 28 May 2017 16:19:49 +0200 + node-concat-stream (1.5.1-1) unstable; urgency=low * Initial release (Closes: #796351) diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control --- node-concat-stream-1.5.1/debian/control 2015-11-08 17:03:58.000000000 +0100 +++ node-concat-stream-1.5.1/debian/control 2017-05-28 16:19:49.000000000 +0200 @@ -2,13 +2,13 @@ Section: web Priority: optional Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> -Uploaders: Ross Gammon <rossgam...@mail.dk> +Uploaders: Ross Gammon <ros...@ubuntu.com> Build-Depends: debhelper (>= 9), dh-buildinfo, nodejs Standards-Version: 3.9.6 Homepage: https://github.com/maxogden/concat-stream#readme -Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git +Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git Package: node-concat-stream diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf --- node-concat-stream-1.5.1/debian/gbp.conf 2015-11-08 17:03:58.000000000 +0100 +++ node-concat-stream-1.5.1/debian/gbp.conf 2017-05-28 16:19:49.000000000 +0200 @@ -6,7 +6,7 @@ # The default name for the Debian branch is "master". # Change it if the name is different (for instance, "debian/unstable"). -debian-branch = master +debian-branch = stretch # git-import-orig uses the following names for the upstream tags. # Change the value if you are not using git-import-orig diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series --- node-concat-stream-1.5.1/debian/patches/series 2015-11-08 17:03:58.000000000 +0100 +++ node-concat-stream-1.5.1/debian/patches/series 2017-05-28 16:19:49.000000000 +0200 @@ -1 +1,2 @@ readable-stream.patch +to-string_numbers.patch diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch --- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 1970-01-01 01:00:00.000000000 +0100 +++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 2017-05-28 16:19:49.000000000 +0200 @@ -0,0 +1,81 @@ +Description: to-string numbers written to the stream + Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This + possible memory disclosure vulnerability exists when a value of type number + is provided to the stringConcat() method and results in concatination of + uninitialized memory to the stream collection. + This is a result of unobstructed use of the Buffer constructor, whose + insecure default constructor increases the odds of memory leakage. + See https://snyk.io/vuln/npm:concat-stream:20160901 for further details. +Origin: upstream, https://github.com/maxogden/concat-stream/ +Bug: https://github.com/maxogden/concat-stream/issues/55 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481 +Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e +Last-Update: 2017-05-28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- node-concat-stream.orig/index.js ++++ node-concat-stream/index.js +@@ -73,6 +73,10 @@ + return /Array\]$/.test(Object.prototype.toString.call(arr)) + } + ++function isBufferish (p) { ++ return typeof p === 'string' || isArrayish(p) || (p && typeof p.subarray === 'function') ++} ++ + function stringConcat (parts) { + var strings = [] + var needsToString = false +@@ -82,8 +86,10 @@ + strings.push(p) + } else if (Buffer.isBuffer(p)) { + strings.push(p) +- } else { ++ } else if (isBufferish(p)) { + strings.push(Buffer(p)) ++ } else { ++ strings.push(Buffer(String(p))) + } + } + if (Buffer.isBuffer(parts[0])) { +@@ -101,10 +107,11 @@ + var p = parts[i] + if (Buffer.isBuffer(p)) { + bufs.push(p) +- } else if (typeof p === 'string' || isArrayish(p) +- || (p && typeof p.subarray === 'function')) { ++ } else if (isBufferish(p)) { + bufs.push(Buffer(p)) +- } else bufs.push(Buffer(String(p))) ++ } else { ++ bufs.push(Buffer(String(p))) ++ } + } + return Buffer.concat(bufs) + } +--- node-concat-stream.orig/test/string.js ++++ node-concat-stream/test/string.js +@@ -58,7 +58,7 @@ + var snowman = new Buffer('☃') + for (var i = 0; i < 8; i++) { + strings.write(snowman.slice(0, 1)) +- strings.write(snowman.slice(1)) ++ strings.write(snowman.slice(1)) + } + strings.end() + }) +@@ -74,3 +74,14 @@ + strings.write("dogs") + strings.end() + }) ++ ++test('to string numbers', function (t) { ++ var write = concat(function (str) { ++ t.equal(str, 'a1000') ++ t.end() ++ }) ++ ++ write.write('a') ++ write.write(1000) ++ write.end() ++})