Bug#1032977: Bug#1032976: unblock: node-sqlite3/5.1.5+ds1-1

[Yadd]

On 3/15/23 11:40, Jonathan Wiltshire wrote:

It's a bit noisy with the other stuff from the upstream release, but I can
see the argument for sticking with it rather than cherry-picking.
Unblocked.


Thanks Jonathan!

I pushed also an unblock request for Apache 2.4.56. Since we decide to 
follow upstream releases in bullseye-security, we need to have apache2 
2.4.56 in testing before releasing apache2 2.4.56~deb11u1 in 
stable-security.


Best regards,
Yadd

Bug#1032976: unblock: node-sqlite3/5.1.5+ds1-1

[Jonathan Wiltshire]

Hi,

On Wed, Mar 15, 2023 at 06:33:08AM +0400, Yadd wrote:
> Please unblock package node-sqlite3
> 
> [ Reason ]
> A code execution vulnerability was discover in node-sqlite3 due to the
> underlying implementation of .toString(). It is then possible to execute
> arbitrary JavaScript or to achieve a denial-of-service. if a binding
> parameter is a crafted object.
> (CVE-2022-43441)

It's a bit noisy with the other stuff from the upstream release, but I can
see the argument for sticking with it rather than cherry-picking.
Unblocked.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1032976: unblock: node-sqlite3/5.1.5+ds1-1

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-sqli...@packages.debian.org
Control: affects -1 + src:node-sqlite3

Please unblock package node-sqlite3

[ Reason ]
A code execution vulnerability was discover in node-sqlite3 due to the
underlying implementation of .toString(). It is then possible to execute
arbitrary JavaScript or to achieve a denial-of-service. if a binding
parameter is a crafted object.
(CVE-2022-43441)

[ Impact ]
Major security issue

[ Tests ]
New test added, passed

[ Risks ]
No risk, patch is trivial. The main change is this:

@@ -208,7 +208,7 @@ template  Values::Field*
 return new Values::Float(pos, source.ToNumber().DoubleValue());
 }
 else if (source.IsObject()) {
-Napi::String napiVal = source.ToString();
+Napi::String napiVal = Napi::String::New(source.Env(), "[object 
Object]");
 // Check whether toString returned a value that is not undefined.
 if(napiVal.Type() == 0) {
 return NULL;


[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
DSA pushed also for bullseye (5.0.0+ds1-1+deb11u2)

unblock node-sqlite3/5.1.5+ds1-1
diff --git a/README.md b/README.md
index 4a214a6..571df9e 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ Asynchronous, non-blocking [SQLite3](https://sqlite.org/) 
bindings for [Node.js]
  - [Extension 
support](https://github.com/TryGhost/node-sqlite3/wiki/API#databaseloadextensionpath-callback),
 including bundled support for the [json1 
extension](https://www.sqlite.org/json1.html)
  - Big test suite
  - Written in modern C++ and tested for memory leaks
- - Bundles SQLite v3.39.4, or you can build using a local SQLite
+ - Bundles SQLite v3.41.1, or you can build using a local SQLite
 
 # Installing
 
diff --git a/binding.gyp b/binding.gyp
index f1336f6..20d418b 100644
--- a/binding.gyp
+++ b/binding.gyp
@@ -25,8 +25,10 @@
 "libraries": [
"-l<(sqlite_libname)"
 ],
-"conditions": [ [ "OS=='linux'", 
{"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ] ],
-"conditions": [ [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]} 
] ],
+"conditions": [
+  [ "OS=='linux'", {"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ],
+  [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]} ]
+],
 'msvs_settings': {
   'VCLinkerTool': {
 'AdditionalLibraryDirectories': [
diff --git a/debian/changelog b/debian/changelog
index a1b24b6..5eb4c18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-sqlite3 (5.1.5+ds1-1) unstable; urgency=medium
+
+  * Team upload
+  * Update lintian override info format in d/source/lintian-overrides
+on line 2-3
+  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
+  * Update standards version to 4.6.2, no changes needed.
+  * New upstream version (Closes: CVE-2022-43441)
+
+ -- Yadd   Tue, 14 Mar 2023 07:04:46 +0400
+
 node-sqlite3 (5.1.2+ds1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index e775fb8..cd29f0e 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Build-Depends:
  , mocha
  , libsqlite3-dev
  , dh-sequence-nodejs
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Homepage: https://github.com/mapbox/node-sqlite3/wiki
 Vcs-Git: https://salsa.debian.org/js-team/node-sqlite3.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-sqlite3
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 6694acf..30e1e92 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,5 +1,5 @@
 # only long lines, source is readable
-source-is-missing *test/null_error.test.js*
-source-contains-prebuilt-javascript-object *test/null_error.test.js*
+source-is-missing [*test/null_error.test.js*]
+source-contains-prebuilt-javascript-object [*test/null_error.test.js*]
 very-long-line-length-in-source-file *.md*
 very-long-line-length-in-source-file *test/null_error.test.js*
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
index 4b6a0f1..b794be2 100644
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -1,6 +1,6 @@
 ---
 Archive: GitHub
-Bug-Database: https://github.com/mapbox/node-sqlite3/issues
-Bug-Submit: https://github.com/mapbox/node-sqlite3/issues/new
+Bug-Database: https://github.com/TryGhost/node-sqlite3/issues
+Bug-Submit: https://github.com/TryGhost/node-sqlite3/issues/new
 Repository: https://github.com/mapbox/node-sqlite3.git
-Repository-Browse: https://github.com/mapbox/node-sqlite3
+Repository-Browse: https://github.com/TryGhost/node-sqlite3
diff --git a/deps/common-sqlite.gypi b/deps/common-sqlite.gypi