Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package node-serve-static The package had a security vulnerability which was the bug that caused node-serve-static and its reverse dependencies to be marked as autoremove. This debdiff fixes that vulnerability without touching any other code. diff -Nru node-serve-static-1.6.4/debian/changelog node-serve-static-1.6.4/debian/changelog --- node-serve-static-1.6.4/debian/changelog 2014-10-15 15:52:21.000000000 +0000 +++ node-serve-static-1.6.4/debian/changelog 2015-02-16 19:05:08.000000000 +0000 @@ -1,3 +1,9 @@ +node-serve-static (1.6.4-2) UNRELEASED; urgency=medium + + * Upstream patch fixing CVE-2015-1164 (Closes: #775843). + + -- Jérémy Lal <[email protected]> Sat, 31 Jan 2015 12:10:55 +0100 + node-serve-static (1.6.4-1) unstable; urgency=medium [ Leo Iannacone ] diff -Nru node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch --- node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch 2015-02-16 19:05:08.000000000 +0000 @@ -0,0 +1,71 @@ +Description: Fix open redirect when mounted at root +Origin: https://github.com/expressjs/serve-static/commit/0399e399.patch +Bug-Upstream: https://github.com/expressjs/serve-static/issues/26 +From: Douglas Christopher Wilson <[email protected]> +Last-Update: 2015-01-31 +Reviewed-by: Jérémy Lal <[email protected]> +Applied-Upstream: 1.7.2 + +fixes #26 +--- a/index.js ++++ b/index.js +@@ -79,10 +79,13 @@ + return next() + } + +- originalUrl.pathname += '/' ++ // append trailing slash ++ originalUrl.pathname = collapseLeadingSlashes(originalUrl.pathname + '/') + ++ // reformat the URL + var target = url.format(originalUrl) + ++ // send redirect response + res.statusCode = 303 + res.setHeader('Content-Type', 'text/html; charset=utf-8') + res.setHeader('Location', target) +@@ -116,3 +119,19 @@ + */ + + exports.mime = send.mime ++ ++/** ++ * Collapse all leading slashes into a single slash ++ * @private ++ */ ++function collapseLeadingSlashes(str) { ++ for (var i = 0; i < str.length; i++) { ++ if (str[i] !== '/') { ++ break ++ } ++ } ++ ++ return i > 1 ++ ? '/' + str.substr(i) ++ : str ++} +--- a/test/test.js ++++ b/test/test.js +@@ -259,6 +259,13 @@ + .expect(303, done) + }) + ++ it('should not redirect to protocol-relative locations', function (done) { ++ request(server) ++ .get('//users') ++ .expect('Location', '/users/') ++ .expect(303, done) ++ }) ++ + it('should not redirect incorrectly', function (done) { + request(server) + .get('/') +@@ -532,7 +539,7 @@ + it('should not choke on auth-looking URL', function(done){ + request(server) + .get('//todo@txt') +- .expect('Location', '//todo@txt/') ++ .expect('Location', '/todo@txt/') + .expect(303, done); + }); + }); diff -Nru node-serve-static-1.6.4/debian/patches/series node-serve-static-1.6.4/debian/patches/series --- node-serve-static-1.6.4/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-serve-static-1.6.4/debian/patches/series 2015-02-16 19:05:08.000000000 +0000 @@ -0,0 +1 @@ +CVE-2015-1164.patch unblock node-serve-static/1.6.4-1 -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/20150216191414.30707.37157.reportbug@ip-10-66-145-59.ec2.internal
