Bug#1004033: bullseye-pu: package node-fetch/2.6.1-5+deb11u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
node-fetch is vulnerable to privacy breach (CVE-2022-0235)

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed

[ Risks ]
Low risk, patch just cleans headers

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Clean headers before request

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 7f3da38..31eb312 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-fetch (2.6.1-5+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Don't forward secure headers to 3th party (Closes: CVE-2022-0235)
+
+ -- Yadd <y...@debian.org>  Wed, 19 Jan 2022 16:46:28 +0100
+
 node-fetch (2.6.1-5) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0235.patch 
b/debian/patches/CVE-2022-0235.patch
new file mode 100644
index 0000000..d97cd7a
--- /dev/null
+++ b/debian/patches/CVE-2022-0235.patch
@@ -0,0 +1,22 @@
+Description: don't forward secure headers to 3th party
+Author: Jimmy Wärting <ji...@warting.se>
+Origin: upstream, https://github.com/node-fetch/node-fetch/commit/f5d3cf5e
+Bug: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-01-19
+
+--- a/src/index.js
++++ b/src/index.js
+@@ -170,6 +170,11 @@
+                                                       requestOpts.body = 
undefined;
+                                                       
requestOpts.headers.delete('content-length');
+                                               }
++                        if (!isDomainOrSubdomain(request.url, locationURL)) {
++                                                      for (const name of 
['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
++                                                              
requestOptions.headers.delete(name);
++                                                      }
++                                              }
+ 
+                                               // HTTP-redirect fetch step 15
+                                               resolve(fetch(new 
Request(locationURL, requestOpts)));
diff --git a/debian/patches/series b/debian/patches/series
index 882f8ed..20c4319 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 babelrc.patch
 fix-default-export.diff
 drop-legacy-rollup-babel-plugin.patch
+CVE-2022-0235.patch