Re: node-thenify

[Sylvain Beucler <beuc@beuc.net>]

Hi,

If sponsored packages are already handled, and we have time to fix this 
package, and I think we can fix it.

I think we need to evaluate a package's usage only when fixing is 
problematic (time constraints, backport issues, uncooperative 
upstream...). Package usage would then be used among other elements to 
make a decision about the supporting the package further.

That doesn't appear to be the case here, so I'll add it to dla-needed.txt.

Cheers!
Sylvain

On 09/09/2022 23:45, Ola Lundqvist wrote:
> Hi follow LTS contributors
>
> It is this kind of question again. "Is it worth it?".
>
> We have CVE-2020-7677 on node-thenify.
>
> According to popcorn we have three installations. That is of course a 
> lower end number since popcorn only counts the popcorn users, but anyway 
> it indicates that the installation number is really low. It is in fact 
> the lowest popcorn score I have seen so far.
>
> Then about the vulnerability itself. It is an arbitrary code execution, 
> but it is on the client side, and the user have get some code injected 
> into it that is passed to this function. This means you have to find 
> some other code that use this functionality and in some way pass it 
> through. It can be done but the likelihood is lower.
>
> Further I can see that node-* packages were unsupported in stretch. They 
> seem to be in buster however.
>
> Quite a lot of node-* packages have fairly severe issues declared as 
> minor issues. I could not find any arbitrary code execution 
> vulnerabilities though.
>
> So my question is, should we fix node-thenify?
>
> I guess so but I want to raise the question.