Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-bl is vunerable to CVE-2020-8244 (#969309): A buffer over-read vulnerability exists which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls. I simply imported upstream change Origin: https://github.com/rvagg/bl/commit/d3e240e3 Bug: https://hackerone.com/reports/966347 Bug-Debian: https://bugs.debian.org/969309 [ Impact ] Vulnerability stays. [ Tests ] Change is simple and test passed (during build) [ Risks ] Low risk: change isn't big and test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] The patch just check better buffer size
diff --git a/debian/changelog b/debian/changelog index c041e5a..462fb49 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-bl (1.1.2-1+deb10u1) buster; urgency=medium + + * Team upload + * Add patch to fix over-read vulnerability (Closes: #969309, CVE-2020-8244) + + -- Xavier Guimard <y...@debian.org> Mon, 31 Aug 2020 10:35:09 +0200 + node-bl (1.1.2-1) unstable; urgency=low * Team upload. diff --git a/debian/patches/CVE-2020-8244.diff b/debian/patches/CVE-2020-8244.diff new file mode 100644 index 0000000..5512d60 --- /dev/null +++ b/debian/patches/CVE-2020-8244.diff @@ -0,0 +1,53 @@ +Description: fix buffer over-read vulnerability + CVE-2020-8244: + A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and + <2.2.1 which could allow an attacker to supply user input (even + typed) that if it ends up in consume() argument and can become + negative, the BufferList state can be corrupted, tricking it into + exposing uninitialized memory via regular .slice() calls. +Author: Matteo Collina <matteo.coll...@gmail.com> +Origin: upstream, https://github.com/rvagg/bl/commit/d3e240e3 +Bug: https://hackerone.com/reports/966347 +Bug-Debian: https://bugs.debian.org/969309 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-08-31 + +--- a/bl.js ++++ b/bl.js +@@ -159,18 +159,22 @@ + + if (bytes > l) { + this._bufs[i].copy(dst, bufoff, start) ++ bufoff += l + } else { + this._bufs[i].copy(dst, bufoff, start, start + bytes) ++ bufoff += l + break + } + +- bufoff += l + bytes -= l + + if (start) + start = 0 + } + ++ // safeguard so that we don't return uninitialized memory ++ if (dst.length > bufoff) return dst.slice(0, bufoff) ++ + return dst + } + +@@ -179,6 +183,11 @@ + } + + BufferList.prototype.consume = function consume (bytes) { ++ // first, normalize the argument, in accordance with how Buffer does it ++ bytes = Math.trunc(bytes) ++ // do nothing if not a positive number ++ if (Number.isNaN(bytes) || bytes <= 0) return this ++ + while (this._bufs.length) { + if (bytes >= this._bufs[0].length) { + bytes -= this._bufs[0].length diff --git a/debian/patches/series b/debian/patches/series index 6d46f5b..762aa7d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ 00-readable_stream.patch 01-use_tap.patch +CVE-2020-8244.diff