Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, bson (embedded in node-mongodb) is vulnerable to Deserialization of Untrusted Data. This upstream fix fixes both CVE-2019-2391 and CVE-2020-7610. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 7b663b5..5ee648d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-mongodb (3.1.13+~3.1.11-2+deb10u1) buster; urgency=medium + + * Throw if invalid _bsontype is detected + (Closes: CVE-2019-2391, CVE-2020-7610) + + -- Xavier Guimard <y...@debian.org> Sun, 26 Apr 2020 21:41:23 +0200 + node-mongodb (3.1.13+~3.1.11-2) unstable; urgency=medium * Remove bson tests (Closes: #923353) diff --git a/debian/patches/fix-json-parsing.diff b/debian/patches/fix-json-parsing.diff new file mode 100644 index 0000000..f4b9c44 --- /dev/null +++ b/debian/patches/fix-json-parsing.diff @@ -0,0 +1,73 @@ +Description: throw if invalid _bsontype is detected + Closes: CVE-2019-2391, CVE-2020-7610 +Author: Matt Broadstone +Bug: https://snyk.io/vuln/SNYK-JS-BSON-561052 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2020-04-26 + +--- a/bson/browser_build/bson.js ++++ b/bson/browser_build/bson.js +@@ -17074,6 +17074,8 @@ + index = serializeInt32(buffer, key, value, index, true); + } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') { + index = serializeMinMax(buffer, key, value, index, true); ++ } else if (typeof value['_bsontype'] !== 'undefined') { ++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']); + } + } + } else if (object instanceof Map) { +@@ -17152,6 +17154,8 @@ + index = serializeInt32(buffer, key, value, index); + } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') { + index = serializeMinMax(buffer, key, value, index); ++ } else if (typeof value['_bsontype'] !== 'undefined') { ++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']); + } + } + } else { +@@ -17233,6 +17237,8 @@ + index = serializeInt32(buffer, key, value, index); + } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') { + index = serializeMinMax(buffer, key, value, index); ++ } else if (typeof value['_bsontype'] !== 'undefined') { ++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']); + } + } + } +@@ -17745,4 +17751,4 @@ + /***/ }) + /******/ ]) + }); +-; +\ No newline at end of file ++; +--- a/bson/lib/bson/parser/serializer.js ++++ b/bson/lib/bson/parser/serializer.js +@@ -778,6 +778,8 @@ + index = serializeInt32(buffer, key, value, index, true); + } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') { + index = serializeMinMax(buffer, key, value, index, true); ++ } else if (typeof value['_bsontype'] !== 'undefined') { ++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']); + } + } + } else if (object instanceof Map) { +@@ -876,6 +878,8 @@ + index = serializeInt32(buffer, key, value, index); + } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') { + index = serializeMinMax(buffer, key, value, index); ++ } else if (typeof value['_bsontype'] !== 'undefined') { ++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']); + } + } + } else { +@@ -978,6 +982,8 @@ + index = serializeInt32(buffer, key, value, index); + } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') { + index = serializeMinMax(buffer, key, value, index); ++ } else if (typeof value['_bsontype'] !== 'undefined') { ++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']); + } + } + } diff --git a/debian/patches/series b/debian/patches/series index a92eae2..a27d49a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ remove-privacy-leak.patch remove-dependency-versions.patch +fix-json-parsing.diff