Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-superagent Hi all, node-superagent is vulnerable to CVE-2017-16129 (tag high). Unfortunatly no corresponding BTS has been filled, and I didn't see this before. I imported the upstreal patch and updated the package and enable some upstream tests (not all due to missing dependencies). Here is the full changes: * Declare compliance with policy 4.3.0 * Change section to javascript * Change priority to optional * Patch to fix ZIP bomb attacks (Closes: CVE-2017-16129) * Fix tests for Node.js >= 10 * Enable some upstream tests using pkg-js-tools * Fix VCS fields * Fix debian/copyright format URL * Add upstream/metadata Reverse dependencies: node-superagent +-(build)-> node-multiparty +-> node-supertest | (build dependencies) | V +- node-body-parser +- node-compression +- node-connect +- node-connect-timeout +- node-cookie-parser +- node-errorhandler +- node-finalhandler +- node-on-headers +- node-response-time +- node-send +- node-serve-index +- node-serve-static +- node-vary +- node-vhost Change on installed files just adds a limit to response body content (CVE-2017-16129.diff patch). The rest of this debdiff updates debian/* files and enable tests (build & autopkgtest). I think this CVE should be considered as RC bug, so I think it is needed and low risky to unblock node-superagent. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 0df52d2..e52f880 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +node-superagent (0.20.0+dfsg-2) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.3.0 + * Change section to javascript + * Change priority to optional + * Patch to fix ZIP bomb attacks (Closes: CVE-2017-16129) + * Fix tests for Node.js >= 10 + * Enable some upstream tests using pkg-js-tools + * Fix VCS fields + * Fix debian/copyright format URL + * Add upstream/metadata + + -- Xavier Guimard <y...@debian.org> Thu, 18 Apr 2019 14:22:09 +0200 + node-superagent (0.20.0+dfsg-1) unstable; urgency=medium * Imported Upstream version 0.20.0+dfsg diff --git a/debian/control b/debian/control index 8a9adb8..4207e63 100644 --- a/debian/control +++ b/debian/control @@ -1,17 +1,30 @@ Source: node-superagent -Section: web -Priority: extra +Section: javascript +Priority: optional Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Uploaders: Leo Iannacone <l...@ubuntu.com> +Testsuite: autopkgtest-pkg-nodejs Build-Depends: debhelper (>= 8) , dh-buildinfo + , mocha , nodejs -Standards-Version: 3.9.6 + , node-cookiejar + , node-cookie-parser + , node-debug + , node-express + , node-extend + , node-formidable + , node-form-data + , node-methods + , node-mime + , node-qs + , node-should + , pkg-js-tools +Standards-Version: 4.3.0 +Vcs-Browser: https://salsa.debian.org/js-team/node-superagent +Vcs-Git: https://salsa.debian.org/js-team/node-superagent.git Homepage: https://github.com/visionmedia/superagent -Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-superagent.git -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-javascript/node-superagent.git -XS-Testsuite: autopkgtest Package: node-superagent Architecture: all diff --git a/debian/copyright b/debian/copyright index c1b2e17..216a109 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: superagent Upstream-Contact: https://github.com/visionmedia/superagent/issues Source: https://github.com/visionmedia/superagent @@ -39,4 +39,3 @@ License: Expat ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/debian/patches/CVE-2017-16129.diff b/debian/patches/CVE-2017-16129.diff new file mode 100644 index 0000000..7fc56a9 --- /dev/null +++ b/debian/patches/CVE-2017-16129.diff @@ -0,0 +1,34 @@ +Description: Fix for CVE-2017-16129 +Author: Xavier Guimard <y...@debian.org> +Origin: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789 +Bug: https://security-tracker.debian.org/tracker/CVE-2017-16129 +Forwarded: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789 +Last-Update: 2019-04-18 + +--- a/lib/node/index.js ++++ b/lib/node/index.js +@@ -898,6 +898,24 @@ + // explicit parser + if (parser) parse = parser; + ++ if (buffer) { ++ // Protectiona against zip bombs and other nuisance ++ let responseBytesLeft = self._maxResponseSize || 200000000; ++ res.on('data', function(buf) { ++ responseBytesLeft -= buf.byteLength || buf.length; ++ if (responseBytesLeft < 0) { ++ // This will propagate through error event ++ const err = Error("Maximum response size reached"); ++ err.code = "ETOOLARGE"; ++ // Parsers aren't required to observe error event, ++ // so would incorrectly report success ++ parserHandlesEnd = false; ++ // Will emit error event ++ res.destroy(err); ++ } ++ }); ++ } ++ + // parse + if (parse) { + try { diff --git a/debian/patches/close-test-servers.diff b/debian/patches/close-test-servers.diff new file mode 100644 index 0000000..f43e2c0 --- /dev/null +++ b/debian/patches/close-test-servers.diff @@ -0,0 +1,212 @@ +Description: Fix for Node.js 10 +Author: Xavier Guimard <y...@debian.org> +Forwarded: not-needed +Last-Update: 2019-04-18 + +--- a/test/node/agency.js ++++ b/test/node/agency.js +@@ -4,8 +4,10 @@ + , assert = require('assert') + , should = require('should'); + +-app.use(express.cookieParser()); +-app.use(express.session({ secret: 'secret' })); ++var cookieParser = require('cookie-parser'); ++var session = require('express-session'); ++app.use(cookieParser()); ++app.use(session({ secret: 'secret' })); + + app.post('/signin', function(req, res) { + req.session.user = 'hun...@hunterloftis.com'; +--- a/test/node/flags.js ++++ b/test/node/flags.js +@@ -29,7 +29,7 @@ + res.send(204); + }); + +-app.listen(3004); ++var s = app.listen(3004); + + describe('flags', function(){ + +@@ -116,4 +116,10 @@ + }); + }) + }) +-}) +\ No newline at end of file ++ describe('end test', function(){ ++ it('should stop server', function(done){ ++ s.close(); ++ done(); ++ }); ++ }); ++}) +--- a/test/node/image.js ++++ b/test/node/image.js +@@ -19,7 +19,7 @@ + res.end(img, 'binary'); + }); + +- app.listen(3011); ++ var s = app.listen(3011); + + describe('image/png', function(){ + it('should parse the body', function(done){ +@@ -31,4 +31,10 @@ + }); + }); + }); ++ describe('end test', function(){ ++ it('should stop server', function(done){ ++ s.close(); ++ done(); ++ }); ++ }); + }); +--- a/test/node/inflate.js ++++ b/test/node/inflate.js +@@ -15,7 +15,7 @@ + var app = express() + , subject = 'some long long long long string'; + +- app.listen(3080); ++ s = app.listen(3080); + + app.get('/binary', function(req, res){ + zlib.deflate(subject, function (err, buf){ +@@ -37,7 +37,7 @@ + request + .get('http://localhost:3080') + .end(function(res){ +- res.should.have.status(200); ++ res.status.should.eql(200); + res.text.should.equal(subject); + res.headers['content-length'].should.be.below(subject.length); + done(); +@@ -49,7 +49,7 @@ + request + .get('http://localhost:3080/binary') + .end(function(res){ +- res.should.have.status(200); ++ res.status.should.eql(200); + res.headers['content-length'].should.be.below(subject.length); + + res.on('data', function(chunk){ +@@ -61,4 +61,10 @@ + }) + }) + }); ++ describe('end test', function(){ ++ it('should stop server', function(done){ ++ s.close(); ++ done(); ++ }); ++ }); + } +--- a/test/node/pipe.js ++++ b/test/node/pipe.js +@@ -4,7 +4,8 @@ + , app = express() + , fs = require('fs'); + +-app.use(express.bodyParser()); ++var bodyParser = require('body-parser') ++app.use(bodyParser.json()); + + app.post('/', function(req, res){ + res.send(req.body); +--- a/test/node/redirects-other-host.js ++++ b/test/node/redirects-other-host.js +@@ -9,7 +9,7 @@ + res.redirect('https://github.com/'); + }); + +-app.listen(3210); ++var s = app.listen(3210); + + describe('request', function(){ + describe('on redirect', function(){ +@@ -24,4 +24,10 @@ + }); + }) + }); +-}); +\ No newline at end of file ++}); ++describe('end test', function(){ ++ it('should stop server', function(done){ ++ s.close(); ++ done(); ++ }); ++}); +--- a/test/node/response-readable-stream.js ++++ b/test/node/response-readable-stream.js +@@ -8,7 +8,7 @@ + fs.createReadStream('test/node/fixtures/user.json').pipe(res); + }); + +-app.listen(3025); ++var s = app.listen(3025); + + describe('response', function(){ + it('should act as a readable stream', function(done){ +@@ -39,3 +39,9 @@ + }); + }); + }); ++describe('end test', function(){ ++ it('should stop server', function(done){ ++ s.close(); ++ done(); ++ }); ++}); +--- a/test/node/timeout.js ++++ b/test/node/timeout.js +@@ -11,7 +11,7 @@ + }, ms); + }); + +-app.listen(3009); ++var s = app.listen(3009); + + describe('.timeout(ms)', function(){ + describe('when timeout is exceeded', function(done){ +@@ -26,4 +26,10 @@ + }); + }) + }) +-}) +\ No newline at end of file ++}) ++describe('end test', function(){ ++ it('should stop server', function(done){ ++ s.close(); ++ done(); ++ }); ++}); +--- a/test/server.js ++++ b/test/server.js +@@ -15,8 +15,10 @@ + req.pipe(res); + }); + +-app.use(express.bodyParser()); +-app.use(express.cookieParser()); ++var cookieParser = require('cookie-parser') ++var bodyParser = require('body-parser') ++app.use(bodyParser.json()); ++app.use(cookieParser()); + + app.use(function(req, res, next){ + res.cookie('name', 'tobi'); +@@ -132,7 +134,8 @@ + res.send(req.cookies.name); + }); + +-app.use(express.static(__dirname + '/../')); ++var serveStatic = require('serve-static') ++app.use(serveStatic(__dirname + '/../')); + + var server = app.listen(process.env.ZUUL_PORT, function() { + //console.log('Test server listening on port %d', server.address().port); diff --git a/debian/patches/series b/debian/patches/series index c366f88..711a168 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,3 @@ no_require_readable-stream.patch +CVE-2017-16129.diff +close-test-servers.diff diff --git a/debian/rules b/debian/rules index 5e2158d..e6bbb30 100755 --- a/debian/rules +++ b/debian/rules @@ -5,14 +5,9 @@ #export DH_VERBOSE=1 %: - dh $@ + dh $@ --with nodejs override_dh_auto_build: -# Tests require express 3.x, but in debian we have 4.x -# So, do not run tests untill this issues is open: -# https://github.com/visionmedia/superagent/issues/390 -override_dh_auto_test: - override_dh_installchangelogs: dh_installchangelogs -k History.md diff --git a/debian/tests/control b/debian/tests/control deleted file mode 100644 index 5b473bc..0000000 --- a/debian/tests/control +++ /dev/null @@ -1,2 +0,0 @@ -Tests: require -Depends: node-superagent diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test new file mode 100644 index 0000000..7ba0e47 --- /dev/null +++ b/debian/tests/pkg-js/test @@ -0,0 +1,11 @@ +mocha --require should --timeout 20000 \ + test/node/exports.js \ + test/node/flags.js \ + test/node/image.js \ + test/node/incoming-multipart.js \ + test/node/inflate.js \ + test/node/multipart.js \ + test/node/network-error.js \ + test/node/response-readable-stream.js \ + test/node/timeout.js \ + test/node/utils.js diff --git a/debian/tests/require b/debian/tests/require deleted file mode 100644 index b0609bb..0000000 --- a/debian/tests/require +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -set -e -nodejs -e "require('superagent');" diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..f0dd284 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/visionmedia/superagent/issues +Contact: https://github.com/visionmedia/superagent/issues +Name: superagent +Repository: https://github.com/visionmedia/superagent.git +Repository-Browse: https://github.com/visionmedia/superagent