Bug#863575: marked as done (unblock: node-concat-stream/1.5.1-2)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#863575: marked as done (unblock: node-concat-stream/1.5.1-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 29 May 2017 12:30:03 +0000
Message-id: <[🔎] handler.863575.D863575.149606078231818.ackdone@bugs.debian.org>
References: <20170529122619.gon3efu7dep5b3kn@powdarrmonkey.net> <[🔎] 149600206456.3145.5585089502658383607.reportbug@localhost>

Your message dated Mon, 29 May 2017 13:26:19 +0100
with message-id <20170529122619.gon3efu7dep5b3kn@powdarrmonkey.net>
and subject line Re: Bug#863575: unblock: node-concat-stream/1.5.1-2
has caused the Debian Bug report #863575,
regarding unblock: node-concat-stream/1.5.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863575: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863575
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: node-concat-stream/1.5.1-2
From: Ross Gammon <rossgammon@mail.dk>
Date: Sun, 28 May 2017 22:07:44 +0200
Message-id: <[🔎] 149600206456.3145.5585089502658383607.reportbug@localhost>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-concat-stream

Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
This was reported in bug https://bugs.debian.org/cgi-
bin/bugreport.cgi?archive=no&bug=863481. This was fixed upstream, and a version
of the fixing commit is included in this version as a patch. The patch has been
tested with the upstream testsuite, which unfortunately has to be disabled as
the testing framework (node-tape) does not exist in testing.

More information can be found in the attached debdiff (between tesing &
unstable), in the patch description.

unblock node-concat-stream/1.5.1-2

-- System Information:
Debian Release: stretch/sid
  APT prefers yakkety-updates
  APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500,
'yakkety'), (100, 'yakkety-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog
--- node-concat-stream-1.5.1/debian/changelog	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/changelog	2017-05-28 16:19:49.000000000 +0200
@@ -1,3 +1,12 @@
+node-concat-stream (1.5.1-2) unstable; urgency=high
+
+  * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
+    (Closes: #863481)
+  * Use stretch git branch
+  * Use Ubuntu email address
+
+ -- Ross Gammon <rosco2@ubuntu.com>  Sun, 28 May 2017 16:19:49 +0200
+
 node-concat-stream (1.5.1-1) unstable; urgency=low
 
   * Initial release (Closes: #796351)
diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control
--- node-concat-stream-1.5.1/debian/control	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/control	2017-05-28 16:19:49.000000000 +0200
@@ -2,13 +2,13 @@
 Section: web
 Priority: optional
 Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
-Uploaders: Ross Gammon <rossgammon@mail.dk>
+Uploaders: Ross Gammon <rosco2@ubuntu.com>
 Build-Depends: debhelper (>= 9),
                dh-buildinfo,
                nodejs
 Standards-Version: 3.9.6
 Homepage: https://github.com/maxogden/concat-stream#readme
-Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git
+Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git
 
 Package: node-concat-stream
diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf
--- node-concat-stream-1.5.1/debian/gbp.conf	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/gbp.conf	2017-05-28 16:19:49.000000000 +0200
@@ -6,7 +6,7 @@
 
 # The default name for the Debian branch is "master".
 # Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
 
 # git-import-orig uses the following names for the upstream tags.
 # Change the value if you are not using git-import-orig
diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series
--- node-concat-stream-1.5.1/debian/patches/series	2015-11-08 17:03:58.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/series	2017-05-28 16:19:49.000000000 +0200
@@ -1 +1,2 @@
 readable-stream.patch
+to-string_numbers.patch
diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch
--- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch	2017-05-28 16:19:49.000000000 +0200
@@ -0,0 +1,81 @@
+Description: to-string numbers written to the stream
+ Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
+ possible memory disclosure vulnerability exists when a value of type number
+ is provided to the stringConcat() method and results in concatination of
+ uninitialized memory to the stream collection.
+ This is a result of unobstructed use of the Buffer constructor, whose
+ insecure default constructor increases the odds of memory leakage.
+ See https://snyk.io/vuln/npm:concat-stream:20160901 for further details.
+Origin: upstream, https://github.com/maxogden/concat-stream/
+Bug: https://github.com/maxogden/concat-stream/issues/55
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
+Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- node-concat-stream.orig/index.js
++++ node-concat-stream/index.js
+@@ -73,6 +73,10 @@
+   return /Array\]$/.test(Object.prototype.toString.call(arr))
+ }
+ 
++function isBufferish (p) {
++  return typeof p === 'string' || isArrayish(p) || (p && typeof p.subarray === 'function')
++}
++
+ function stringConcat (parts) {
+   var strings = []
+   var needsToString = false
+@@ -82,8 +86,10 @@
+       strings.push(p)
+     } else if (Buffer.isBuffer(p)) {
+       strings.push(p)
+-    } else {
++    } else if (isBufferish(p)) {
+       strings.push(Buffer(p))
++    } else {
++      strings.push(Buffer(String(p)))
+     }
+   }
+   if (Buffer.isBuffer(parts[0])) {
+@@ -101,10 +107,11 @@
+     var p = parts[i]
+     if (Buffer.isBuffer(p)) {
+       bufs.push(p)
+-    } else if (typeof p === 'string' || isArrayish(p)
+-    || (p && typeof p.subarray === 'function')) {
++    } else if (isBufferish(p)) {
+       bufs.push(Buffer(p))
+-    } else bufs.push(Buffer(String(p)))
++    } else {
++      bufs.push(Buffer(String(p)))
++    }
+   }
+   return Buffer.concat(bufs)
+ }
+--- node-concat-stream.orig/test/string.js
++++ node-concat-stream/test/string.js
+@@ -58,7 +58,7 @@
+   var snowman = new Buffer('☃')
+   for (var i = 0; i < 8; i++) {
+     strings.write(snowman.slice(0, 1))
+-    strings.write(snowman.slice(1))    
++    strings.write(snowman.slice(1))
+   }
+   strings.end()
+ })
+@@ -74,3 +74,14 @@
+   strings.write("dogs")
+   strings.end()
+ })
++
++test('to string numbers', function (t) {
++  var write = concat(function (str) {
++    t.equal(str, 'a1000')
++    t.end()
++  })
++
++  write.write('a')
++  write.write(1000)
++  write.end()
++})

--- End Message ---

--- Begin Message ---

To: Ross Gammon <rossgammon@mail.dk>, 863575-done@bugs.debian.org

Subject: Re: Bug#863575: unblock: node-concat-stream/1.5.1-2

From: Jonathan Wiltshire <jmw@debian.org>

Date: Mon, 29 May 2017 13:26:19 +0100

Message-id: <20170529122619.gon3efu7dep5b3kn@powdarrmonkey.net>

In-reply-to: <[🔎] 149600206456.3145.5585089502658383607.reportbug@localhost>

References: <[🔎] 149600206456.3145.5585089502658383607.reportbug@localhost>
On Sun, May 28, 2017 at 10:07:44PM +0200, Ross Gammon wrote:
> Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201).
> This was reported in bug https://bugs.debian.org/cgi-
> bin/bugreport.cgi?archive=no&bug=863481. This was fixed upstream, and a version
> of the fixing commit is included in this version as a patch. The patch has been
> tested with the upstream testsuite, which unfortunately has to be disabled as
> the testing framework (node-tape) does not exist in testing.

Unblocked.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
--- End Message ---

Reply to:

References:
- Bug#863575: unblock: node-concat-stream/1.5.1-2
  - From: Ross Gammon <rossgammon@mail.dk>

Prev by Date: Bug#863626: unblock: dns-root-data/2017041101
Next by Date: Bug#863624: marked as done (unblock: lua-http/0.1-3)
Previous by thread: Bug#863575: unblock: node-concat-stream/1.5.1-2
Next by thread: Bug#863581: RM: resteasy/3.1.0-1
Index(es):
- Date
- Thread