Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-opencv Hi all, This release fixes 2 bugs: - #925571: CVE-2019-10061 - #924462: "please make the build reproducible" Even if this vulnerability isn't tagged as "serious" but only "important", I think it is a good thing to upgrade Debian version. node-opencv has no reverse dependencies, so it seems not risky to unblock this change. Cheers, Xavier unblock node-opencv/6.0.0+git20180416.cfc96ba0-3 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index ebfd618..fde7213 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +node-opencv (6.0.0+git20180416.cfc96ba0-3) unstable; urgency=medium + + * Team upload + + [ Xavier Guimard ] + * Add dh_installexamples -Xtmp/ to make build reproductible. Thanks to + Chris Lamb (Closes: #924462) + + [ Utkarsh Gupta ] + * Add patch to fix CVE-2019-10061 (Closes: #925571) + + -- Utkarsh Gupta <guptautkarsh2...@gmail.com> Wed, 27 Mar 2019 04:27:41 +0530 + node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable; urgency=medium * Team upload @@ -6,10 +19,6 @@ node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable; urgency=medium * Add upstream/metadata * Update description * Set hardening flags - * Remove unneeded dependency versions - * Add upstream/metadata - * Update description - * Set hardening flags * Fix autopkgtest failures on an unbuild tree and test installed files * Install examples in the right place diff --git a/debian/patches/CVE-2019-10061.patch b/debian/patches/CVE-2019-10061.patch new file mode 100644 index 0000000..40ede57 --- /dev/null +++ b/debian/patches/CVE-2019-10061.patch @@ -0,0 +1,51 @@ +Description: This patch is in reference with CVE-2019-10061. +Author: Utkarsh Gupta +Origin: https://github.com/peterbraden/node-opencv/commit/81a4b8620188e89f7e4fc985f3c89b58d4bcc86b + https://github.com/peterbraden/node-opencv/commit/aaece6921d7368577511f06c94c99dd4e9653563 +Bug-Debian: https://bugs.debian.org/925571 +Last-Update: 2019-03-26 + +--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/src/FaceRecognizer.h ++++ node-opencv-6.0.0+git20180416.cfc96ba0/src/FaceRecognizer.h +@@ -8,6 +8,7 @@ namespace cv { + using cv::face::FaceRecognizer; + } + #else ++#warning using opencv2 contrib + #include "opencv2/contrib/contrib.hpp" + #endif + +--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/utils/find-opencv.js ++++ node-opencv-6.0.0+git20180416.cfc96ba0/utils/find-opencv.js +@@ -2,13 +2,20 @@ + + var exec = require("child_process").exec; + var fs = require("fs"); +-var flag = process.argv[2] || "--exists"; ++ ++var flags = { ++ '--cflags' : '--cflags', ++ '--libs' : '--libs' ++} ++var flag = flags[process.argv[2]] || '--exists' ++ ++ + + // Normally |pkg-config opencv ...| could report either OpenCV 2.x or OpenCV 3.y + // depending on what is installed. To enable both 2.x and 3.y to co-exist on + // the same machine, the opencv.pc for 3.y can be installed as opencv3.pc and + // then selected by |export PKG_CONFIG_OPENCV3=1| before building node-opencv. +-var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : '"opencv >= 2.3.1"'; ++var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : ' "opencv >= 2.3.1"'; + + function main(){ + //Try using pkg-config, but if it fails and it is on Windows, try the fallback +@@ -18,7 +25,7 @@ function main(){ + fallback(); + } + else{ +- throw new Error("ERROR: failed to run: pkg-config", opencv, flag); ++ throw new Error("ERROR: failed to run: pkg-config" + opencv + " " + flag + " - Is OpenCV installed?"); + } + } + else{ diff --git a/debian/patches/series b/debian/patches/series index bf036a7..4d1e52d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 0001_fix_makefile.patch 0002_patch_unittest.patch +CVE-2019-10061.patch diff --git a/debian/rules b/debian/rules index 1cd5e96..299c7ba 100755 --- a/debian/rules +++ b/debian/rules @@ -35,6 +35,9 @@ override_dh_auto_clean: rm -rf node_modules rm -rf build +override_dh_installexamples: + dh_installexamples -Xtmp/ + DEB_UPSTREAM_VERSION := $(shell echo $(DEB_VERSION) | sed -e 's/-[^-]*$$//') GIT_URL = https://github.com/peterbraden/node-opencv.git get-orig-source:
