Your message dated Mon, 29 May 2017 13:26:19 +0100
with message-id <[email protected]>
and subject line Re: Bug#863575: unblock: node-concat-stream/1.5.1-2
has caused the Debian Bug report #863575,
regarding unblock: node-concat-stream/1.5.1-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
863575: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863575
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package node-concat-stream
Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
This was reported in bug https://bugs.debian.org/cgi-
bin/bugreport.cgi?archive=no&bug=863481. This was fixed upstream, and a version
of the fixing commit is included in this version as a patch. The patch has been
tested with the upstream testsuite, which unfortunately has to be disabled as
the testing framework (node-tape) does not exist in testing.
More information can be found in the attached debdiff (between tesing &
unstable), in the patch description.
unblock node-concat-stream/1.5.1-2
-- System Information:
Debian Release: stretch/sid
APT prefers yakkety-updates
APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500,
'yakkety'), (100, 'yakkety-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog
--- node-concat-stream-1.5.1/debian/changelog 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/changelog 2017-05-28 16:19:49.000000000 +0200
@@ -1,3 +1,12 @@
+node-concat-stream (1.5.1-2) unstable; urgency=high
+
+ * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
+ (Closes: #863481)
+ * Use stretch git branch
+ * Use Ubuntu email address
+
+ -- Ross Gammon <[email protected]> Sun, 28 May 2017 16:19:49 +0200
+
node-concat-stream (1.5.1-1) unstable; urgency=low
* Initial release (Closes: #796351)
diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control
--- node-concat-stream-1.5.1/debian/control 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/control 2017-05-28 16:19:49.000000000 +0200
@@ -2,13 +2,13 @@
Section: web
Priority: optional
Maintainer: Debian Javascript Maintainers <[email protected]>
-Uploaders: Ross Gammon <[email protected]>
+Uploaders: Ross Gammon <[email protected]>
Build-Depends: debhelper (>= 9),
dh-buildinfo,
nodejs
Standards-Version: 3.9.6
Homepage: https://github.com/maxogden/concat-stream#readme
-Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git
+Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git
Package: node-concat-stream
diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf
--- node-concat-stream-1.5.1/debian/gbp.conf 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/gbp.conf 2017-05-28 16:19:49.000000000 +0200
@@ -6,7 +6,7 @@
# The default name for the Debian branch is "master".
# Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
# git-import-orig uses the following names for the upstream tags.
# Change the value if you are not using git-import-orig
diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series
--- node-concat-stream-1.5.1/debian/patches/series 2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/series 2017-05-28 16:19:49.000000000 +0200
@@ -1 +1,2 @@
readable-stream.patch
+to-string_numbers.patch
diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch
--- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 1970-01-01 01:00:00.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 2017-05-28 16:19:49.000000000 +0200
@@ -0,0 +1,81 @@
+Description: to-string numbers written to the stream
+ Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
+ possible memory disclosure vulnerability exists when a value of type number
+ is provided to the stringConcat() method and results in concatination of
+ uninitialized memory to the stream collection.
+ This is a result of unobstructed use of the Buffer constructor, whose
+ insecure default constructor increases the odds of memory leakage.
+ See https://snyk.io/vuln/npm:concat-stream:20160901 for further details.
+Origin: upstream, https://github.com/maxogden/concat-stream/
+Bug: https://github.com/maxogden/concat-stream/issues/55
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
+Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- node-concat-stream.orig/index.js
++++ node-concat-stream/index.js
+@@ -73,6 +73,10 @@
+ return /Array\]$/.test(Object.prototype.toString.call(arr))
+ }
+
++function isBufferish (p) {
++ return typeof p === 'string' || isArrayish(p) || (p && typeof p.subarray === 'function')
++}
++
+ function stringConcat (parts) {
+ var strings = []
+ var needsToString = false
+@@ -82,8 +86,10 @@
+ strings.push(p)
+ } else if (Buffer.isBuffer(p)) {
+ strings.push(p)
+- } else {
++ } else if (isBufferish(p)) {
+ strings.push(Buffer(p))
++ } else {
++ strings.push(Buffer(String(p)))
+ }
+ }
+ if (Buffer.isBuffer(parts[0])) {
+@@ -101,10 +107,11 @@
+ var p = parts[i]
+ if (Buffer.isBuffer(p)) {
+ bufs.push(p)
+- } else if (typeof p === 'string' || isArrayish(p)
+- || (p && typeof p.subarray === 'function')) {
++ } else if (isBufferish(p)) {
+ bufs.push(Buffer(p))
+- } else bufs.push(Buffer(String(p)))
++ } else {
++ bufs.push(Buffer(String(p)))
++ }
+ }
+ return Buffer.concat(bufs)
+ }
+--- node-concat-stream.orig/test/string.js
++++ node-concat-stream/test/string.js
+@@ -58,7 +58,7 @@
+ var snowman = new Buffer('☃')
+ for (var i = 0; i < 8; i++) {
+ strings.write(snowman.slice(0, 1))
+- strings.write(snowman.slice(1))
++ strings.write(snowman.slice(1))
+ }
+ strings.end()
+ })
+@@ -74,3 +74,14 @@
+ strings.write("dogs")
+ strings.end()
+ })
++
++test('to string numbers', function (t) {
++ var write = concat(function (str) {
++ t.equal(str, 'a1000')
++ t.end()
++ })
++
++ write.write('a')
++ write.write(1000)
++ write.end()
++})
--- End Message ---
--- Begin Message ---
On Sun, May 28, 2017 at 10:07:44PM +0200, Ross Gammon wrote:
> Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
> This was reported in bug https://bugs.debian.org/cgi-
> bin/bugreport.cgi?archive=no&bug=863481. This was fixed upstream, and a
> version
> of the fixing commit is included in this version as a patch. The patch has
> been
> tested with the upstream testsuite, which unfortunately has to be disabled as
> the testing framework (node-tape) does not exist in testing.
Unblocked.
--
Jonathan Wiltshire [email protected]
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
--- End Message ---
