Bug#925583: unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#925583: unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3
From: Xavier Guimard <yadd@debian.org>
Date: Wed, 27 Mar 2019 07:10:45 +0100
Message-id: <[🔎] 155366704595.12418.18111465313786701149.reportbug@deb007.xnr.fr>
Reply-to: Xavier Guimard <yadd@debian.org>, 925583@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-opencv

Hi all,

This release fixes 2 bugs:
 - #925571: CVE-2019-10061
 - #924462: "please make the build reproducible"

Even if this vulnerability isn't tagged as "serious" but only
"important", I think it is a good thing to upgrade Debian version.

node-opencv has no reverse dependencies, so it seems not risky to
unblock this change.

Cheers,
Xavier

unblock node-opencv/6.0.0+git20180416.cfc96ba0-3

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index ebfd618..fde7213 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+node-opencv (6.0.0+git20180416.cfc96ba0-3) unstable; urgency=medium
+
+  * Team upload
+
+  [ Xavier Guimard ]
+  * Add dh_installexamples -Xtmp/ to make build reproductible. Thanks to
+    Chris Lamb (Closes: #924462)
+
+  [ Utkarsh Gupta ]
+  * Add patch to fix CVE-2019-10061 (Closes: #925571)
+
+ -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Wed, 27 Mar 2019 04:27:41 +0530
+
 node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable; urgency=medium
 
   * Team upload
@@ -6,10 +19,6 @@ node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable; urgency=medium
   * Add upstream/metadata
   * Update description
   * Set hardening flags
-  * Remove unneeded dependency versions
-  * Add upstream/metadata
-  * Update description
-  * Set hardening flags
   * Fix autopkgtest failures on an unbuild tree and test installed files
   * Install examples in the right place
 
diff --git a/debian/patches/CVE-2019-10061.patch b/debian/patches/CVE-2019-10061.patch
new file mode 100644
index 0000000..40ede57
--- /dev/null
+++ b/debian/patches/CVE-2019-10061.patch
@@ -0,0 +1,51 @@
+Description: This patch is in reference with  CVE-2019-10061.
+Author: Utkarsh Gupta
+Origin: https://github.com/peterbraden/node-opencv/commit/81a4b8620188e89f7e4fc985f3c89b58d4bcc86b
+ https://github.com/peterbraden/node-opencv/commit/aaece6921d7368577511f06c94c99dd4e9653563
+Bug-Debian: https://bugs.debian.org/925571
+Last-Update: 2019-03-26
+
+--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/src/FaceRecognizer.h
++++ node-opencv-6.0.0+git20180416.cfc96ba0/src/FaceRecognizer.h
+@@ -8,6 +8,7 @@ namespace cv {
+   using cv::face::FaceRecognizer;
+ }
+ #else
++#warning using opencv2 contrib
+ #include "opencv2/contrib/contrib.hpp"
+ #endif
+ 
+--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/utils/find-opencv.js
++++ node-opencv-6.0.0+git20180416.cfc96ba0/utils/find-opencv.js
+@@ -2,13 +2,20 @@
+ 
+ var exec = require("child_process").exec;
+ var fs = require("fs");
+-var flag = process.argv[2] || "--exists";
++
++var flags = {
++  '--cflags' : '--cflags',
++  '--libs' : '--libs'
++}
++var flag = flags[process.argv[2]] || '--exists'
++
++
+ 
+ // Normally |pkg-config opencv ...| could report either OpenCV 2.x or OpenCV 3.y
+ // depending on what is installed.  To enable both 2.x and 3.y to co-exist on
+ // the same machine, the opencv.pc for 3.y can be installed as opencv3.pc and
+ // then selected by |export PKG_CONFIG_OPENCV3=1| before building node-opencv.
+-var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : '"opencv >= 2.3.1"';
++var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : ' "opencv >= 2.3.1"';
+ 
+ function main(){
+     //Try using pkg-config, but if it fails and it is on Windows, try the fallback
+@@ -18,7 +25,7 @@ function main(){
+                 fallback();
+             }
+             else{
+-                throw new Error("ERROR: failed to run: pkg-config", opencv, flag);
++              throw new Error("ERROR: failed to run: pkg-config" + opencv + " " + flag + " - Is OpenCV installed?");
+             }
+         }
+         else{
diff --git a/debian/patches/series b/debian/patches/series
index bf036a7..4d1e52d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001_fix_makefile.patch
 0002_patch_unittest.patch
+CVE-2019-10061.patch
diff --git a/debian/rules b/debian/rules
index 1cd5e96..299c7ba 100755
--- a/debian/rules
+++ b/debian/rules
@@ -35,6 +35,9 @@ override_dh_auto_clean:
 	rm -rf node_modules
 	rm -rf build
 
+override_dh_installexamples:
+	dh_installexamples -Xtmp/
+
 DEB_UPSTREAM_VERSION := $(shell echo $(DEB_VERSION) | sed -e 's/-[^-]*$$//')
 GIT_URL = https://github.com/peterbraden/node-opencv.git
 get-orig-source:

Reply to:

Follow-Ups:
- Bug#925583: marked as done (unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#925576: unblock: python-trustme/0.4.0-2
Next by Date: Bug#925559: unblock: netlib-java/0.9.3-5
Previous by thread: Bug#925576: unblock: python-trustme/0.4.0-2
Next by thread: Bug#925583: marked as done (unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3)
Index(es):
- Date
- Thread