Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-sqli...@packages.debian.org
Control: affects -1 + src:node-sqlite3
Please unblock package node-sqlite3
[ Reason ]
A code execution vulnerability was discover in node-sqlite3 due to the
underlying implementation of .toString(). It is then possible to execute
arbitrary JavaScript or to achieve a denial-of-service. if a binding
parameter is a crafted object.
(CVE-2022-43441)
[ Impact ]
Major security issue
[ Tests ]
New test added, passed
[ Risks ]
No risk, patch is trivial. The main change is this:
@@ -208,7 +208,7 @@ template Values::Field*
return new Values::Float(pos, source.ToNumber().DoubleValue());
}
else if (source.IsObject()) {
-Napi::String napiVal = source.ToString();
+Napi::String napiVal = Napi::String::New(source.Env(), "[object
Object]");
// Check whether toString returned a value that is not undefined.
if(napiVal.Type() == 0) {
return NULL;
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
DSA pushed also for bullseye (5.0.0+ds1-1+deb11u2)
unblock node-sqlite3/5.1.5+ds1-1
diff --git a/README.md b/README.md
index 4a214a6..571df9e 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ Asynchronous, non-blocking [SQLite3](https://sqlite.org/)
bindings for [Node.js]
- [Extension
support](https://github.com/TryGhost/node-sqlite3/wiki/API#databaseloadextensionpath-callback),
including bundled support for the [json1
extension](https://www.sqlite.org/json1.html)
- Big test suite
- Written in modern C++ and tested for memory leaks
- - Bundles SQLite v3.39.4, or you can build using a local SQLite
+ - Bundles SQLite v3.41.1, or you can build using a local SQLite
# Installing
diff --git a/binding.gyp b/binding.gyp
index f1336f6..20d418b 100644
--- a/binding.gyp
+++ b/binding.gyp
@@ -25,8 +25,10 @@
"libraries": [
"-l<(sqlite_libname)"
],
-"conditions": [ [ "OS=='linux'",
{"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ] ],
-"conditions": [ [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]}
] ],
+"conditions": [
+ [ "OS=='linux'", {"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ],
+ [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]} ]
+],
'msvs_settings': {
'VCLinkerTool': {
'AdditionalLibraryDirectories': [
diff --git a/debian/changelog b/debian/changelog
index a1b24b6..5eb4c18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-sqlite3 (5.1.5+ds1-1) unstable; urgency=medium
+
+ * Team upload
+ * Update lintian override info format in d/source/lintian-overrides
+on line 2-3
+ * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
+ * Update standards version to 4.6.2, no changes needed.
+ * New upstream version (Closes: CVE-2022-43441)
+
+ -- Yadd Tue, 14 Mar 2023 07:04:46 +0400
+
node-sqlite3 (5.1.2+ds1-1) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index e775fb8..cd29f0e 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Build-Depends:
, mocha
, libsqlite3-dev
, dh-sequence-nodejs
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
Homepage: https://github.com/mapbox/node-sqlite3/wiki
Vcs-Git: https://salsa.debian.org/js-team/node-sqlite3.git
Vcs-Browser: https://salsa.debian.org/js-team/node-sqlite3
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 6694acf..30e1e92 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,5 +1,5 @@
# only long lines, source is readable
-source-is-missing *test/null_error.test.js*
-source-contains-prebuilt-javascript-object *test/null_error.test.js*
+source-is-missing [*test/null_error.test.js*]
+source-contains-prebuilt-javascript-object [*test/null_error.test.js*]
very-long-line-length-in-source-file *.md*
very-long-line-length-in-source-file *test/null_error.test.js*
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
index 4b6a0f1..b794be2 100644
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -1,6 +1,6 @@
---
Archive: GitHub
-Bug-Database: https://github.com/mapbox/node-sqlite3/issues
-Bug-Submit: https://github.com/mapbox/node-sqlite3/issues/new
+Bug-Database: https://github.com/TryGhost/node-sqlite3/issues
+Bug-Submit: https://github.com/TryGhost/node-sqlite3/issues/new
Repository: https://github.com/mapbox/node-sqlite3.git
-Repository-Browse: https://github.com/mapbox/node-sqlite3
+Repository-Browse: https://github.com/TryGhost/node-sqlite3
diff --git a/deps/common-sqlite.gypi b/deps/common-sqlite.gypi