Bug#1004033: bullseye-pu: package node-fetch/2.6.1-5+deb11u1

2022-02-19 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Wed, 2022-01-19 at 16:49 +0100, Yadd wrote:
> node-fetch is vulnerable to privacy breach (CVE-2022-0235)
> 

+node-fetch (2.6.1-5+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Don't forward secure headers to 3th party (Closes: CVE-2022-0235)

s/3th/3rd/

Please go ahead.

Regards,

Adam

Bug#1004033: bullseye-pu: package node-fetch/2.6.1-5+deb11u1

2022-01-19 Thread Yadd 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-fetch is vulnerable to privacy breach (CVE-2022-0235)

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed

[ Risks ]
Low risk, patch just cleans headers

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Clean headers before request

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 7f3da38..31eb312 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-fetch (2.6.1-5+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Don't forward secure headers to 3th party (Closes: CVE-2022-0235)
+
+ -- Yadd   Wed, 19 Jan 2022 16:46:28 +0100
+
 node-fetch (2.6.1-5) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0235.patch 
b/debian/patches/CVE-2022-0235.patch
new file mode 100644
index 000..d97cd7a
--- /dev/null
+++ b/debian/patches/CVE-2022-0235.patch
@@ -0,0 +1,22 @@
+Description: don't forward secure headers to 3th party
+Author: Jimmy Wärting 
+Origin: upstream, https://github.com/node-fetch/node-fetch/commit/f5d3cf5e
+Bug: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2022-01-19
+
+--- a/src/index.js
 b/src/index.js
+@@ -170,6 +170,11 @@
+   requestOpts.body = 
undefined;
+   
requestOpts.headers.delete('content-length');
+   }
++if (!isDomainOrSubdomain(request.url, locationURL)) {
++  for (const name of 
['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
++  
requestOptions.headers.delete(name);
++  }
++  }
+ 
+   // HTTP-redirect fetch step 15
+   resolve(fetch(new 
Request(locationURL, requestOpts)));
diff --git a/debian/patches/series b/debian/patches/series
index 882f8ed..20c4319 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 babelrc.patch
 fix-default-export.diff
 drop-legacy-rollup-babel-plugin.patch
+CVE-2022-0235.patch