Bug#927192: unblock: node-sshpk/1.13.1+dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-sshpk
Hello,
I imported upstream patch fo fix #901093, CVE-2018-3737. Here is the
full changes:
* Enable nocheck build profile
* Declare compliance with policy 4.3.0
* Add patch to fix ReDoS when parsing crafted invalid public keys
(Closes: #901093, CVE-2018-3737)
* Fix VCS fields
* Fix debian/copyright format URL
* Add descriptions in patches
* Add upstream/metadata
Reverse dependencies:
- node-http-signature
+-> node-request
+-> node-jsdom
+-> node-ytdl-core
+-> node-coveralls
+-> node-millstone
+-> node-matrix-js-sdk
+-> node-jsonld
+-> node-gyp
| |
| V
+-> npm
| +-> npm2deb
+-> yarnpkg
+-> gitlab
Change on installed files is minimalistic:
* 2 regexp improvements
* a null substitution:
- var data = m[2] + m[3];
+ var data = m[2] + (m[3] ? m[3] : '');
So I think it is not risky to upgrade node-sshpk.
Cheers,
Xavier
unblock node-sshpk/1.13.1+dfsg-2
diff --git a/debian/changelog b/debian/changelog
index edaed62..0cb77bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+node-sshpk (1.13.1+dfsg-2) unstable; urgency=medium
+
+ * Team upload
+
+ [ Pirate Praveen ]
+ * Enable nocheck build profile
+
+ [ Xavier Guimard ]
+ * Declare compliance with policy 4.3.0
+ * Add patch to fix ReDoS when parsing crafted invalid public keys
+ (Closes: #901093, CVE-2018-3737)
+ * Fix VCS fields
+ * Fix debian/copyright format URL
+ * Add descriptions in patches
+ * Add upstream/metadata
+
+ -- Xavier Guimard <yadd@debian.org> Tue, 16 Apr 2019 06:57:20 +0200
+
node-sshpk (1.13.1+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 76f60a3..e0eac6f 100644
--- a/debian/control
+++ b/debian/control
@@ -7,23 +7,23 @@ Build-Depends:
debhelper (>= 9)
, dh-buildinfo
, nodejs
- , node-tape
- , node-temp
- , openssl
+ , node-tape <!nocheck>
+ , node-temp <!nocheck>
+ , openssl <!nocheck>
, node-marked-man
- , node-sinon
- , node-dashdash (>= 1.12.0)
- , node-assert-plus (>= 1.0.0)
- , node-getpass (>= 0.1.1)
- , node-asn1 (>= 0.2.3)
- , node-jsbn (>= 0.1.0)
- , node-ecc-jsbn (>= 0.1.1)
- , node-tweetnacl (>= 0.14.0)
- , node-bcrypt-pbkdf (>= 1.0.0)
-Standards-Version: 4.1.2
+ , node-sinon <!nocheck>
+ , node-dashdash (>= 1.12.0) <!nocheck>
+ , node-assert-plus (>= 1.0.0) <!nocheck>
+ , node-getpass (>= 0.1.1) <!nocheck>
+ , node-asn1 (>= 0.2.3) <!nocheck>
+ , node-jsbn (>= 0.1.0) <!nocheck>
+ , node-ecc-jsbn (>= 0.1.1) <!nocheck>
+ , node-tweetnacl (>= 0.14.0) <!nocheck>
+ , node-bcrypt-pbkdf (>= 1.0.0) <!nocheck>
+Standards-Version: 4.3.0
Homepage: https://github.com/arekinath/node-sshpk#readme
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-sshpk.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-sshpk.git
+Vcs-Browser: https://salsa.debian.org/js-team/node-sshpk
+Vcs-Git: https://salsa.debian.org/js-team/node-sshpk.git
Package: node-sshpk
Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 72d1687..24e192f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: sshpk
Upstream-Contact: https://github.com/arekinath/node-sshpk/issues
Source: https://github.com/arekinath/node-sshpk#readme
@@ -32,4 +32,3 @@ License: Expat
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-
diff --git a/debian/patches/CVE-2018-3737.diff b/debian/patches/CVE-2018-3737.diff
new file mode 100644
index 0000000..640a8f3
--- /dev/null
+++ b/debian/patches/CVE-2018-3737.diff
@@ -0,0 +1,63 @@
+Description: Fix CVE-2018-3737
+Author: Xavier Guimard <yadd@debian.org>
+Origin: https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
+Bug: https://security-tracker.debian.org/tracker/CVE-2018-3737
+Forwarded: not-needed
+Last-Update: 2019-04-16
+
+--- a/lib/formats/ssh.js
++++ b/lib/formats/ssh.js
+@@ -14,9 +14,9 @@
+ var sshpriv = require('./ssh-private');
+
+ /*JSSTYLED*/
+-var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/;
++var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/;
+ /*JSSTYLED*/
+-var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/;
++var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/;
+
+ function read(buf, options) {
+ if (typeof (buf) !== 'string') {
+@@ -71,7 +71,7 @@
+ * chars from the beginning up to this point in the the string.
+ * Then offset in this and try to make up for missing = chars.
+ */
+- var data = m[2] + m[3];
++ var data = m[2] + (m[3] ? m[3] : '');
+ var realOffset = Math.ceil(ret.consumed / 3) * 4;
+ data = data.slice(0, realOffset - 2). /*JSSTYLED*/
+ replace(/[^a-zA-Z0-9+\/=]/g, '') +
+--- a/test/horrors.js
++++ b/test/horrors.js
+@@ -86,6 +86,30 @@
+ t.end();
+ });
+
++var KEY_NO_COMMENT = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
++ 'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
++ 'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c=';
++test('normal key, no comment', function (t) {
++ var k = sshpk.parseKey(KEY_NO_COMMENT, 'ssh');
++ t.strictEqual(k.type, 'ecdsa');
++ t.strictEqual(k.fingerprint('sha256').toString(),
++ 'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
++ t.strictEqual(k.comment, '(unnamed)');
++ t.end();
++});
++
++var KEY_COMMENT_EQ = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
++ 'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
++ 'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c= abc=def=a\n';
++test('comment contains =, trailing newline', function (t) {
++ var k = sshpk.parseKey(KEY_COMMENT_EQ, 'ssh');
++ t.strictEqual(k.type, 'ecdsa');
++ t.strictEqual(k.fingerprint('sha256').toString(),
++ 'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
++ t.strictEqual(k.comment, 'abc=def=a');
++ t.end();
++});
++
+ var KEY_BREAK = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd' +
+ 'HAyNTYAAABBBK9+hFGVZ9RT61pg8t7\nEGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xypHOH' +
+ 'Bz0WikK5hYcwTM5YMvnNxuU0h4+c=';
diff --git a/debian/patches/disable-npm.patch b/debian/patches/disable-npm.patch
index 332afa7..52e2e68 100644
--- a/debian/patches/disable-npm.patch
+++ b/debian/patches/disable-npm.patch
@@ -1,3 +1,4 @@
+Description: Disable npm
--- a/Makefile
+++ b/Makefile
@@ -44,7 +44,7 @@
diff --git a/debian/patches/series b/debian/patches/series
index bf9683c..c156910 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
test-parse-fingerprint.patch
disable-npm.patch
use-marked-man.patch
+CVE-2018-3737.diff
diff --git a/debian/patches/use-marked-man.patch b/debian/patches/use-marked-man.patch
index 9e996d6..137e56e 100644
--- a/debian/patches/use-marked-man.patch
+++ b/debian/patches/use-marked-man.patch
@@ -1,3 +1,4 @@
+Description: Use marked man
--- a/Makefile
+++ b/Makefile
@@ -18,7 +18,7 @@
diff --git a/debian/rules b/debian/rules
index da3ae59..d6dd17f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,7 +10,9 @@
#override_dh_auto_build:
override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
tape test/*.js
+endif
override_dh_auto_clean:
dh_auto_clean
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..599633e
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/arekinath/node-sshpk/issues
+Contact: https://github.com/arekinath/node-sshpk/issues
+Name: node-sshpk
+Repository: https://github.com/arekinath/node-sshpk.git
+Repository-Browse: https://github.com/arekinath/node-sshpk
Reply to: