Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-sqlite3 is vulnerable to denian of service (CVE-2022-21227)
[ Impact ]
Medium security issue
[ Tests ]
New test added, passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Check bad arguments
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 32c6f70..88403c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-sqlite3 (5.0.0+ds1-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix denial-of-service (Closes: CVE-2022-21227)
+
+ -- Yadd Sun, 01 May 2022 17:33:33 +0200
+
node-sqlite3 (5.0.0+ds1-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-21227.patch
b/debian/patches/CVE-2022-21227.patch
new file mode 100644
index 000..e95c94d
--- /dev/null
+++ b/debian/patches/CVE-2022-21227.patch
@@ -0,0 +1,41 @@
+Description: fix segfault of invalid toString() object
+Author: Kewde
+Origin: upstream, https://github.com/TryGhost/node-sqlite3/commit/593c9d49
+Bug: https://github.com/advisories/GHSA-9qrh-qjmc-5w2p
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-05-01
+
+--- a/src/statement.cc
b/src/statement.cc
+@@ -210,7 +210,13 @@
+ return new Values::Float(pos, source.ToNumber().DoubleValue());
+ }
+ else if (source.IsObject()) {
+-std::string val = source.ToString().Utf8Value();
++Napi::String napiVal = source.ToString();
++// Check whether toString returned a value that is not undefined.
++if(napiVal.Type() == 0) {
++return NULL;
++}
++
++std::string val = napiVal.Utf8Value();
+ return new Values::Text(pos, val.length(), val.c_str());
+ }
+ else {
+--- a/test/other_objects.test.js
b/test/other_objects.test.js
+@@ -86,4 +86,13 @@
+ });
+ });
+ });
++
++it('should ignore faulty toString', function(done) {
++const faulty = { toString: 23 };
++db.run("INSERT INTO txt_table VALUES(?)", faulty, function (err) {
++assert.notEqual(err, undefined);
++done();
++});
++});
++
+ });
diff --git a/debian/patches/series b/debian/patches/series
index 327413f..8d03fa0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
disable-hard-test.patch
+CVE-2022-21227.patch
