Bug#778566: unblock: node-serve-static/1.6.4-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-serve-static
The package had a security vulnerability which was the bug that caused
node-serve-static and its reverse dependencies to be marked as
autoremove. This debdiff fixes that vulnerability without touching any
other code.
diff -Nru node-serve-static-1.6.4/debian/changelog node-serve-static-1.6.4/debian/changelog
--- node-serve-static-1.6.4/debian/changelog 2014-10-15 15:52:21.000000000 +0000
+++ node-serve-static-1.6.4/debian/changelog 2015-02-16 19:05:08.000000000 +0000
@@ -1,3 +1,9 @@
+node-serve-static (1.6.4-2) UNRELEASED; urgency=medium
+
+ * Upstream patch fixing CVE-2015-1164 (Closes: #775843).
+
+ -- Jérémy Lal <kapouer@melix.org> Sat, 31 Jan 2015 12:10:55 +0100
+
node-serve-static (1.6.4-1) unstable; urgency=medium
[ Leo Iannacone ]
diff -Nru node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch
--- node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-serve-static-1.6.4/debian/patches/CVE-2015-1164.patch 2015-02-16 19:05:08.000000000 +0000
@@ -0,0 +1,71 @@
+Description: Fix open redirect when mounted at root
+Origin: https://github.com/expressjs/serve-static/commit/0399e399.patch
+Bug-Upstream: https://github.com/expressjs/serve-static/issues/26
+From: Douglas Christopher Wilson <doug@somethingdoug.com>
+Last-Update: 2015-01-31
+Reviewed-by: Jérémy Lal <kapouer@melix.org>
+Applied-Upstream: 1.7.2
+
+fixes #26
+--- a/index.js
++++ b/index.js
+@@ -79,10 +79,13 @@
+ return next()
+ }
+
+- originalUrl.pathname += '/'
++ // append trailing slash
++ originalUrl.pathname = collapseLeadingSlashes(originalUrl.pathname + '/')
+
++ // reformat the URL
+ var target = url.format(originalUrl)
+
++ // send redirect response
+ res.statusCode = 303
+ res.setHeader('Content-Type', 'text/html; charset=utf-8')
+ res.setHeader('Location', target)
+@@ -116,3 +119,19 @@
+ */
+
+ exports.mime = send.mime
++
++/**
++ * Collapse all leading slashes into a single slash
++ * @private
++ */
++function collapseLeadingSlashes(str) {
++ for (var i = 0; i < str.length; i++) {
++ if (str[i] !== '/') {
++ break
++ }
++ }
++
++ return i > 1
++ ? '/' + str.substr(i)
++ : str
++}
+--- a/test/test.js
++++ b/test/test.js
+@@ -259,6 +259,13 @@
+ .expect(303, done)
+ })
+
++ it('should not redirect to protocol-relative locations', function (done) {
++ request(server)
++ .get('//users')
++ .expect('Location', '/users/')
++ .expect(303, done)
++ })
++
+ it('should not redirect incorrectly', function (done) {
+ request(server)
+ .get('/')
+@@ -532,7 +539,7 @@
+ it('should not choke on auth-looking URL', function(done){
+ request(server)
+ .get('//todo@txt')
+- .expect('Location', '//todo@txt/')
++ .expect('Location', '/todo@txt/')
+ .expect(303, done);
+ });
+ });
diff -Nru node-serve-static-1.6.4/debian/patches/series node-serve-static-1.6.4/debian/patches/series
--- node-serve-static-1.6.4/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ node-serve-static-1.6.4/debian/patches/series 2015-02-16 19:05:08.000000000 +0000
@@ -0,0 +1 @@
+CVE-2015-1164.patch
unblock node-serve-static/1.6.4-1
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: