Bug#925583: marked as done (unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#925583: marked as done (unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 27 Mar 2019 06:51:04 +0000
Message-id: <[🔎] handler.925583.D925583.155366926416807.ackdone@bugs.debian.org>
Reply-to: 925583@bugs.debian.org
References: <7067b586-339d-4bff-942a-5bf7176c56d7@thykier.net> <[🔎] 155366704595.12418.18111465313786701149.reportbug@deb007.xnr.fr>

Your message dated Wed, 27 Mar 2019 06:47:00 +0000
with message-id <7067b586-339d-4bff-942a-5bf7176c56d7@thykier.net>
and subject line Re: Bug#925583: unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3
has caused the Debian Bug report #925583,
regarding unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
925583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925583
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3
From: Xavier Guimard <yadd@debian.org>
Date: Wed, 27 Mar 2019 07:10:45 +0100
Message-id: <[🔎] 155366704595.12418.18111465313786701149.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-opencv

Hi all,

This release fixes 2 bugs:
 - #925571: CVE-2019-10061
 - #924462: "please make the build reproducible"

Even if this vulnerability isn't tagged as "serious" but only
"important", I think it is a good thing to upgrade Debian version.

node-opencv has no reverse dependencies, so it seems not risky to
unblock this change.

Cheers,
Xavier

unblock node-opencv/6.0.0+git20180416.cfc96ba0-3

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index ebfd618..fde7213 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+node-opencv (6.0.0+git20180416.cfc96ba0-3) unstable; urgency=medium
+
+  * Team upload
+
+  [ Xavier Guimard ]
+  * Add dh_installexamples -Xtmp/ to make build reproductible. Thanks to
+    Chris Lamb (Closes: #924462)
+
+  [ Utkarsh Gupta ]
+  * Add patch to fix CVE-2019-10061 (Closes: #925571)
+
+ -- Utkarsh Gupta <guptautkarsh2102@gmail.com>  Wed, 27 Mar 2019 04:27:41 +0530
+
 node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable; urgency=medium
 
   * Team upload
@@ -6,10 +19,6 @@ node-opencv (6.0.0+git20180416.cfc96ba0-2) unstable; urgency=medium
   * Add upstream/metadata
   * Update description
   * Set hardening flags
-  * Remove unneeded dependency versions
-  * Add upstream/metadata
-  * Update description
-  * Set hardening flags
   * Fix autopkgtest failures on an unbuild tree and test installed files
   * Install examples in the right place
 
diff --git a/debian/patches/CVE-2019-10061.patch b/debian/patches/CVE-2019-10061.patch
new file mode 100644
index 0000000..40ede57
--- /dev/null
+++ b/debian/patches/CVE-2019-10061.patch
@@ -0,0 +1,51 @@
+Description: This patch is in reference with  CVE-2019-10061.
+Author: Utkarsh Gupta
+Origin: https://github.com/peterbraden/node-opencv/commit/81a4b8620188e89f7e4fc985f3c89b58d4bcc86b
+ https://github.com/peterbraden/node-opencv/commit/aaece6921d7368577511f06c94c99dd4e9653563
+Bug-Debian: https://bugs.debian.org/925571
+Last-Update: 2019-03-26
+
+--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/src/FaceRecognizer.h
++++ node-opencv-6.0.0+git20180416.cfc96ba0/src/FaceRecognizer.h
+@@ -8,6 +8,7 @@ namespace cv {
+   using cv::face::FaceRecognizer;
+ }
+ #else
++#warning using opencv2 contrib
+ #include "opencv2/contrib/contrib.hpp"
+ #endif
+ 
+--- node-opencv-6.0.0+git20180416.cfc96ba0.orig/utils/find-opencv.js
++++ node-opencv-6.0.0+git20180416.cfc96ba0/utils/find-opencv.js
+@@ -2,13 +2,20 @@
+ 
+ var exec = require("child_process").exec;
+ var fs = require("fs");
+-var flag = process.argv[2] || "--exists";
++
++var flags = {
++  '--cflags' : '--cflags',
++  '--libs' : '--libs'
++}
++var flag = flags[process.argv[2]] || '--exists'
++
++
+ 
+ // Normally |pkg-config opencv ...| could report either OpenCV 2.x or OpenCV 3.y
+ // depending on what is installed.  To enable both 2.x and 3.y to co-exist on
+ // the same machine, the opencv.pc for 3.y can be installed as opencv3.pc and
+ // then selected by |export PKG_CONFIG_OPENCV3=1| before building node-opencv.
+-var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : '"opencv >= 2.3.1"';
++var opencv = process.env.PKG_CONFIG_OPENCV3 === "1" ? "opencv3" : ' "opencv >= 2.3.1"';
+ 
+ function main(){
+     //Try using pkg-config, but if it fails and it is on Windows, try the fallback
+@@ -18,7 +25,7 @@ function main(){
+                 fallback();
+             }
+             else{
+-                throw new Error("ERROR: failed to run: pkg-config", opencv, flag);
++              throw new Error("ERROR: failed to run: pkg-config" + opencv + " " + flag + " - Is OpenCV installed?");
+             }
+         }
+         else{
diff --git a/debian/patches/series b/debian/patches/series
index bf036a7..4d1e52d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 0001_fix_makefile.patch
 0002_patch_unittest.patch
+CVE-2019-10061.patch
diff --git a/debian/rules b/debian/rules
index 1cd5e96..299c7ba 100755
--- a/debian/rules
+++ b/debian/rules
@@ -35,6 +35,9 @@ override_dh_auto_clean:
 	rm -rf node_modules
 	rm -rf build
 
+override_dh_installexamples:
+	dh_installexamples -Xtmp/
+
 DEB_UPSTREAM_VERSION := $(shell echo $(DEB_VERSION) | sed -e 's/-[^-]*$$//')
 GIT_URL = https://github.com/peterbraden/node-opencv.git
 get-orig-source:

--- End Message ---

--- Begin Message ---

To: Xavier Guimard <yadd@debian.org>, 925583-done@bugs.debian.org

Subject: Re: Bug#925583: unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3

From: Niels Thykier <niels@thykier.net>

Date: Wed, 27 Mar 2019 06:47:00 +0000

Message-id: <7067b586-339d-4bff-942a-5bf7176c56d7@thykier.net>

In-reply-to: <[🔎] 155366704595.12418.18111465313786701149.reportbug@deb007.xnr.fr>

References: <[🔎] 155366704595.12418.18111465313786701149.reportbug@deb007.xnr.fr>
Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-opencv
> 
> Hi all,
> 
> This release fixes 2 bugs:
>  - #925571: CVE-2019-10061
>  - #924462: "please make the build reproducible"
> 
> Even if this vulnerability isn't tagged as "serious" but only
> "important", I think it is a good thing to upgrade Debian version.
> 
> node-opencv has no reverse dependencies, so it seems not risky to
> unblock this change.
> 
> Cheers,
> Xavier
> 
> unblock node-opencv/6.0.0+git20180416.cfc96ba0-3
> 
> [...]

Unblocked, thanks.
~Niels
--- End Message ---

Reply to:

References:
- Bug#925583: unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3
  - From: Xavier Guimard <yadd@debian.org>

Prev by Date: Bug#925513: marked as done (unblock: python-numpy/1:1.16.2-1)
Next by Date: Processed: Re: Bug#925559: unblock: netlib-java/0.9.3-5
Previous by thread: Bug#925583: unblock: node-opencv/6.0.0+git20180416.cfc96ba0-3
Next by thread: Bug#925587: unblock: znc/1.7.2-2
Index(es):
- Date
- Thread