Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu
[ Reason ] node-sqlite3 is vulnerable to denian of service (CVE-2022-21227) [ Impact ] Medium security issue [ Tests ] New test added, passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Check bad arguments Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 32c6f70..88403c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-sqlite3 (5.0.0+ds1-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix denial-of-service (Closes: CVE-2022-21227) + + -- Yadd <[email protected]> Sun, 01 May 2022 17:33:33 +0200 + node-sqlite3 (5.0.0+ds1-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-21227.patch b/debian/patches/CVE-2022-21227.patch new file mode 100644 index 0000000..e95c94d --- /dev/null +++ b/debian/patches/CVE-2022-21227.patch @@ -0,0 +1,41 @@ +Description: fix segfault of invalid toString() object +Author: Kewde <[email protected]> +Origin: upstream, https://github.com/TryGhost/node-sqlite3/commit/593c9d49 +Bug: https://github.com/advisories/GHSA-9qrh-qjmc-5w2p +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2022-05-01 + +--- a/src/statement.cc ++++ b/src/statement.cc +@@ -210,7 +210,13 @@ + return new Values::Float(pos, source.ToNumber().DoubleValue()); + } + else if (source.IsObject()) { +- std::string val = source.ToString().Utf8Value(); ++ Napi::String napiVal = source.ToString(); ++ // Check whether toString returned a value that is not undefined. ++ if(napiVal.Type() == 0) { ++ return NULL; ++ } ++ ++ std::string val = napiVal.Utf8Value(); + return new Values::Text(pos, val.length(), val.c_str()); + } + else { +--- a/test/other_objects.test.js ++++ b/test/other_objects.test.js +@@ -86,4 +86,13 @@ + }); + }); + }); ++ ++ it('should ignore faulty toString', function(done) { ++ const faulty = { toString: 23 }; ++ db.run("INSERT INTO txt_table VALUES(?)", faulty, function (err) { ++ assert.notEqual(err, undefined); ++ done(); ++ }); ++ }); ++ + }); diff --git a/debian/patches/series b/debian/patches/series index 327413f..8d03fa0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ disable-hard-test.patch +CVE-2022-21227.patch
