Bug#928626: unblock: node-axios/0.17.1+dfsg-2

Tue, 07 May 2019 14:12:35 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package node-axios

Hi all,

node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very
simple:
  --- a/lib/adapters/http.js
  +++ b/lib/adapters/http.js
  @@ -172,6 +172,7 @@
  
             // make sure the content length is not over the maxContentLength 
if specified
             if (config.maxContentLength > -1 && 
Buffer.concat(responseBuffer).length > config.maxContentLength) {
  +           stream.destroy();
               reject(createError('maxContentLength size of ' + 
config.maxContentLength + ' exceeded',
                 config, null, lastRequest));
             }

Full changes:
  * Declare compliance with policy 4.3.0
  * Add upstream/metadata
  * Add patch to destroy stream on exceeding maxContentLength
    (Closes: #928624, CVE-2019-10742)
  * Fix debian/copyright format URL

node-axios has no reverse dependencies.

I think it is low risky to upgrade node-axios in Buster.

Cheers,
Xavier

unblock node-axios/0.17.1+dfsg-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index b79d090..88ae229 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-axios (0.17.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.3.0
+  * Add upstream/metadata
+  * Add patch to destroy stream on exceeding maxContentLength
+    (Closes: #928624, CVE-2019-10742)
+  * Fix debian/copyright format URL
+
+ -- Xavier Guimard <y...@debian.org>  Tue, 07 May 2019 22:59:58 +0200
+
 node-axios (0.17.1+dfsg-1) unstable; urgency=low
 
   * Initial release (Closes: #876067)
diff --git a/debian/control b/debian/control
index 808fda3..7090bf8 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,7 @@ Build-Depends:
  , node-grunt-contrib-nodeunit <!nocheck>
  , node-follow-redirects (>= 1.2.3) <!nocheck>
  , node-is-buffer (>= 1.1.5) <!nocheck>
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://github.com/mzabriskie/axios
 Vcs-Git: https://salsa.debian.org/js-team/node-axios.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-axios
diff --git a/debian/copyright b/debian/copyright
index 8f366c9..7098b5e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: axios
 Upstream-Contact: https://github.com/mzabriskie/axios/issues
 Source: https://github.com/mzabriskie/axios
diff --git a/debian/patches/CVE-2019-10742.diff 
b/debian/patches/CVE-2019-10742.diff
new file mode 100644
index 0000000..3cb1a36
--- /dev/null
+++ b/debian/patches/CVE-2019-10742.diff
@@ -0,0 +1,18 @@
+Description: Destroy stream on exceeding maxContentLength
+Author: Xavier Guimard <y...@debian.org>
+Origin: upstream, 
https://github.com/axios/axios/commit/0d4fca085b9b44e110f4c5a3dd7384c31abaf756
+Bug: https://github.com/axios/axios/issues/1098
+Bug-Debian: https://bugs.debian.org/928624
+Forwarded: not-needed
+Last-Update: 2019-05-07
+
+--- a/lib/adapters/http.js
++++ b/lib/adapters/http.js
+@@ -172,6 +172,7 @@
+ 
+           // make sure the content length is not over the maxContentLength if 
specified
+           if (config.maxContentLength > -1 && 
Buffer.concat(responseBuffer).length > config.maxContentLength) {
++          stream.destroy();
+             reject(createError('maxContentLength size of ' + 
config.maxContentLength + ' exceeded',
+               config, null, lastRequest));
+           }
diff --git a/debian/patches/series b/debian/patches/series
index f9a8deb..877fd7a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 skip-unneeded-modules.patch
 use-webpack3.patch
+CVE-2019-10742.diff
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..a885fe3
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/mzabriskie/axios/issues
+Contact: https://github.com/mzabriskie/axios/issues
+Name: axios
+Repository: https://github.com/mzabriskie/axios.git
+Repository-Browse: https://github.com/mzabriskie/axios

Reply via email to