Re: [Pkg-javascript-devel] Bug#863481: Bug#863481: [node-concat-stream] Uninitialized Memory Exposure
Hi Bastien, On 05/27/2017 09:47 PM, roucaries bastien wrote: > I can do it but I do not know that is the best: > - let 1.6 go to unstable > - patch old version > > Could you ask release team. > > The debdiff between the two version is so small that I have doubt > I had almost finished the email to the release team, when I did some final checks. And whilst I agree the unrelated changes upstream are very small, I unfortunately enabled the testsuite in 1.6 (in experimental) now that node-tape is available in unstable. As node-tape is not available in testing (stretch), I would have to disable the tests when moving to unstable. All in all, I think it will be easier to create a stretch branch in git & add a patch which will also make the unblocking process easier. I will work on that today. But if I run out of time, please feel free to take it forward. Regards, Ross -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#863481: Bug#863481: [node-concat-stream] Uninitialized Memory Exposure
I can do it but I do not know that is the best: - let 1.6 go to unstable - patch old version Could you ask release team. The debdiff between the two version is so small that I have doubt On Sat, May 27, 2017 at 6:53 PM, Ross Gammon wrote: > Hi Bastien, > > If you would like me to prepare an upload to unstable for this (& unblock > request), let me know. I have some time today & tomorrow - but travelling > with work next week. I have DM upload rights for it. > > Only asking in case you are already working on it. > > Cheers, > > Ross > > > On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote: > > Package: node-concat-stream > Version: 1.5.1-1 > Severity: grave > Tags: patch security fixed-upstream fixed-in-experimental > X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org > forwarded: https://snyk.io/vuln/npm:concat-stream:20160901 > > Overview > > concat-stream is writable stream that concatenates strings or binary data > and > calls a callback with the result. Affected versions of the package are > vulnerable to Uninitialized Memory Exposure. > > A possible memory disclosure vulnerability exists when a value of type > number > is provided to the stringConcat() method and results in concatination of > uninitialized memory to the stream collection. > > This is a result of unobstructed use of the Buffer constructor, whose > insecure > default constructor increases the odds of memory leakage. > > > > -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel