Bug#863575: unblock: node-concat-stream/1.5.1-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#863575: unblock: node-concat-stream/1.5.1-2
From: Ross Gammon <rossgammon@mail.dk>
Date: Sun, 28 May 2017 22:07:44 +0200
Message-id: <[🔎] 149600206456.3145.5585089502658383607.reportbug@localhost>
Reply-to: Ross Gammon <rossgammon@mail.dk>, 863575@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-concat-stream

Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
This was reported in bug https://bugs.debian.org/cgi-
bin/bugreport.cgi?archive=no&bug=863481. This was fixed upstream, and a version
of the fixing commit is included in this version as a patch. The patch has been
tested with the upstream testsuite, which unfortunately has to be disabled as
the testing framework (node-tape) does not exist in testing.

More information can be found in the attached debdiff (between tesing &
unstable), in the patch description.

unblock node-concat-stream/1.5.1-2

-- System Information:
Debian Release: stretch/sid
  APT prefers yakkety-updates
  APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500,
'yakkety'), (100, 'yakkety-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog
--- node-concat-stream-1.5.1/debian/changelog	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/changelog	2017-05-28 16:19:49.000000000 +0200
@@ -1,3 +1,12 @@
+node-concat-stream (1.5.1-2) unstable; urgency=high
+
+  * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
+    (Closes: #863481)
+  * Use stretch git branch
+  * Use Ubuntu email address
+
+ -- Ross Gammon <rosco2@ubuntu.com>  Sun, 28 May 2017 16:19:49 +0200
+
 node-concat-stream (1.5.1-1) unstable; urgency=low
 
   * Initial release (Closes: #796351)
diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control
--- node-concat-stream-1.5.1/debian/control	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/control	2017-05-28 16:19:49.000000000 +0200
@@ -2,13 +2,13 @@
 Section: web
 Priority: optional
 Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
-Uploaders: Ross Gammon <rossgammon@mail.dk>
+Uploaders: Ross Gammon <rosco2@ubuntu.com>
 Build-Depends: debhelper (>= 9),
                dh-buildinfo,
                nodejs
 Standards-Version: 3.9.6
 Homepage: https://github.com/maxogden/concat-stream#readme
-Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git
+Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git
 
 Package: node-concat-stream
diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf
--- node-concat-stream-1.5.1/debian/gbp.conf	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/gbp.conf	2017-05-28 16:19:49.000000000 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series
--- node-concat-stream-1.5.1/debian/patches/series	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/series	2017-05-28 16:19:49.000000000 +0200
@@ -1 +1,2 @@
 readable-stream.patch
+to-string_numbers.patch
diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch
--- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	2017-05-28 16:19:49.000000000 +0200
@@ -0,0 +1,81 @@
+Description: to-string numbers written to the stream
+ Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
+ possible memory disclosure vulnerability exists when a value of type number
+ is provided to the stringConcat() method and results in concatination of
+ uninitialized memory to the stream collection.
+ This is a result of unobstructed use of the Buffer constructor, whose
+ insecure default constructor increases the odds of memory leakage.
+ See https://snyk.io/vuln/npm:concat-stream:20160901 for further details.
+Origin: upstream, https://github.com/maxogden/concat-stream/
+Bug: https://github.com/maxogden/concat-stream/issues/55
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
+Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- node-concat-stream.orig/index.js
++++ node-concat-stream/index.js
+@@ -73,6 +73,10 @@
+   return /Array\]$/.test(Object.prototype.toString.call(arr))
+ }
+ 
++function isBufferish (p) {
++  return typeof p === 'string' || isArrayish(p) || (p && typeof p.subarray === 'function')
++}
++
+ function stringConcat (parts) {
+   var strings = []
+   var needsToString = false
+@@ -82,8 +86,10 @@
+       strings.push(p)
+     } else if (Buffer.isBuffer(p)) {
+       strings.push(p)
+-    } else {
++    } else if (isBufferish(p)) {
+       strings.push(Buffer(p))
++    } else {
++      strings.push(Buffer(String(p)))
+     }
+   }
+   if (Buffer.isBuffer(parts[0])) {
+@@ -101,10 +107,11 @@
+     var p = parts[i]
+     if (Buffer.isBuffer(p)) {
+       bufs.push(p)
+-    } else if (typeof p === 'string' || isArrayish(p)
+-    || (p && typeof p.subarray === 'function')) {
++    } else if (isBufferish(p)) {
+       bufs.push(Buffer(p))
+-    } else bufs.push(Buffer(String(p)))
++    } else {
++      bufs.push(Buffer(String(p)))
++    }
+   }
+   return Buffer.concat(bufs)
+ }
+--- node-concat-stream.orig/test/string.js
++++ node-concat-stream/test/string.js
+@@ -58,7 +58,7 @@
+   var snowman = new Buffer('☃')
+   for (var i = 0; i < 8; i++) {
+     strings.write(snowman.slice(0, 1))
+-    strings.write(snowman.slice(1))    
++    strings.write(snowman.slice(1))
+   }
+   strings.end()
+ })
+@@ -74,3 +74,14 @@
+   strings.write("dogs")
+   strings.end()
+ })
++
++test('to string numbers', function (t) {
++  var write = concat(function (str) {
++    t.equal(str, 'a1000')
++    t.end()
++  })
++
++  write.write('a')
++  write.write(1000)
++  write.end()
++})

Reply to:

Follow-Ups:
- Bug#863575: marked as done (unblock: node-concat-stream/1.5.1-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#863573: unblock: diamond/4.0.515-4
Next by Date: Bug#863540: marked as done (RM: swftools/0.9.2+git20130725-4)
Previous by thread: Bug#863573: marked as done (unblock: diamond/4.0.515-4)
Next by thread: Bug#863575: marked as done (unblock: node-concat-stream/1.5.1-2)
Index(es):
- Date
- Thread