[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927192: marked as done (unblock: node-sshpk/1.13.1+dfsg-2)



Your message dated Tue, 16 Apr 2019 05:35:00 +0000
with message-id <cd277a30-5833-e0c8-8640-7c7b0c055d91@thykier.net>
and subject line Re: Bug#927192: unblock: node-sshpk/1.13.1+dfsg-2
has caused the Debian Bug report #927192,
regarding unblock: node-sshpk/1.13.1+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927192
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-sshpk

Hello,

I imported upstream patch fo fix #901093, CVE-2018-3737. Here is the
full changes:
  * Enable nocheck build profile
  * Declare compliance with policy 4.3.0
  * Add patch to fix ReDoS when parsing crafted invalid public keys
    (Closes: #901093, CVE-2018-3737)
  * Fix VCS fields
  * Fix debian/copyright format URL
  * Add descriptions in patches
  * Add upstream/metadata

Reverse dependencies:
 - node-http-signature
   +-> node-request
       +-> node-jsdom
       +-> node-ytdl-core
       +-> node-coveralls
       +-> node-millstone
       +-> node-matrix-js-sdk
       +-> node-jsonld
       +-> node-gyp
       |    |
       |    V
       +-> npm
       |    +-> npm2deb
       +-> yarnpkg
            +-> gitlab

Change on installed files is minimalistic:
 * 2 regexp improvements
 * a null substitution:
    - var data = m[2] + m[3];
    + var data = m[2] + (m[3] ? m[3] : '');

So I think it is not risky to upgrade node-sshpk.

Cheers,
Xavier

unblock node-sshpk/1.13.1+dfsg-2
diff --git a/debian/changelog b/debian/changelog
index edaed62..0cb77bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+node-sshpk (1.13.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload
+
+  [ Pirate Praveen ]
+  * Enable nocheck build profile
+
+  [ Xavier Guimard ]
+  * Declare compliance with policy 4.3.0
+  * Add patch to fix ReDoS when parsing crafted invalid public keys
+    (Closes: #901093, CVE-2018-3737)
+  * Fix VCS fields
+  * Fix debian/copyright format URL
+  * Add descriptions in patches
+  * Add upstream/metadata
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 16 Apr 2019 06:57:20 +0200
+
 node-sshpk (1.13.1+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 76f60a3..e0eac6f 100644
--- a/debian/control
+++ b/debian/control
@@ -7,23 +7,23 @@ Build-Depends:
  debhelper (>= 9)
  , dh-buildinfo
  , nodejs
- , node-tape
- , node-temp
- , openssl
+ , node-tape <!nocheck>
+ , node-temp <!nocheck>
+ , openssl <!nocheck>
  , node-marked-man
- , node-sinon
- , node-dashdash (>= 1.12.0)
- , node-assert-plus (>= 1.0.0)
- , node-getpass (>= 0.1.1)
- , node-asn1 (>= 0.2.3)
- , node-jsbn (>= 0.1.0)
- , node-ecc-jsbn (>= 0.1.1)
- , node-tweetnacl (>= 0.14.0)
- , node-bcrypt-pbkdf (>= 1.0.0)
-Standards-Version: 4.1.2
+ , node-sinon <!nocheck>
+ , node-dashdash (>= 1.12.0) <!nocheck>
+ , node-assert-plus (>= 1.0.0) <!nocheck>
+ , node-getpass (>= 0.1.1) <!nocheck>
+ , node-asn1 (>= 0.2.3) <!nocheck>
+ , node-jsbn (>= 0.1.0) <!nocheck>
+ , node-ecc-jsbn (>= 0.1.1) <!nocheck>
+ , node-tweetnacl (>= 0.14.0) <!nocheck>
+ , node-bcrypt-pbkdf (>= 1.0.0) <!nocheck>
+Standards-Version: 4.3.0
 Homepage: https://github.com/arekinath/node-sshpk#readme
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-sshpk.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-sshpk.git
+Vcs-Browser: https://salsa.debian.org/js-team/node-sshpk
+Vcs-Git: https://salsa.debian.org/js-team/node-sshpk.git
 
 Package: node-sshpk
 Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 72d1687..24e192f 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: sshpk
 Upstream-Contact: https://github.com/arekinath/node-sshpk/issues
 Source: https://github.com/arekinath/node-sshpk#readme
@@ -32,4 +32,3 @@ License: Expat
  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  SOFTWARE.
-
diff --git a/debian/patches/CVE-2018-3737.diff b/debian/patches/CVE-2018-3737.diff
new file mode 100644
index 0000000..640a8f3
--- /dev/null
+++ b/debian/patches/CVE-2018-3737.diff
@@ -0,0 +1,63 @@
+Description: Fix CVE-2018-3737
+Author: Xavier Guimard <yadd@debian.org>
+Origin: https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
+Bug: https://security-tracker.debian.org/tracker/CVE-2018-3737
+Forwarded: not-needed
+Last-Update: 2019-04-16
+
+--- a/lib/formats/ssh.js
++++ b/lib/formats/ssh.js
+@@ -14,9 +14,9 @@
+ var sshpriv = require('./ssh-private');
+ 
+ /*JSSTYLED*/
+-var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([\n \t]+([^\n]+))?$/;
++var SSHKEY_RE = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/]+[=]*)([ \t]+([^ \t][^\n]*[\n]*)?)?$/;
+ /*JSSTYLED*/
+-var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t]+([a-zA-Z0-9+\/ \t\n]+[=]*)(.*)$/;
++var SSHKEY_RE2 = /^([a-z0-9-]+)[ \t\n]+([a-zA-Z0-9+\/][a-zA-Z0-9+\/ \t\n=]*)([^a-zA-Z0-9+\/ \t\n=].*)?$/;
+ 
+ function read(buf, options) {
+ 	if (typeof (buf) !== 'string') {
+@@ -71,7 +71,7 @@
+ 		 * chars from the beginning up to this point in the the string.
+ 		 * Then offset in this and try to make up for missing = chars.
+ 		 */
+-		var data = m[2] + m[3];
++		var data = m[2] + (m[3] ? m[3] : '');
+ 		var realOffset = Math.ceil(ret.consumed / 3) * 4;
+ 		data = data.slice(0, realOffset - 2). /*JSSTYLED*/
+ 		    replace(/[^a-zA-Z0-9+\/=]/g, '') +
+--- a/test/horrors.js
++++ b/test/horrors.js
+@@ -86,6 +86,30 @@
+ 	t.end();
+ });
+ 
++var KEY_NO_COMMENT = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
++    'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
++    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c=';
++test('normal key, no comment', function (t) {
++	var k = sshpk.parseKey(KEY_NO_COMMENT, 'ssh');
++	t.strictEqual(k.type, 'ecdsa');
++	t.strictEqual(k.fingerprint('sha256').toString(),
++	    'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
++	t.strictEqual(k.comment, '(unnamed)');
++	t.end();
++});
++
++var KEY_COMMENT_EQ = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAA' +
++    'IbmlzdHAyNTYAAABBBK9+hFGVZ9RT61pg8t7EGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xy' +
++    'pHOHBz0WikK5hYcwTM5YMvnNxuU0h4+c= abc=def=a\n';
++test('comment contains =, trailing newline', function (t) {
++	var k = sshpk.parseKey(KEY_COMMENT_EQ, 'ssh');
++	t.strictEqual(k.type, 'ecdsa');
++	t.strictEqual(k.fingerprint('sha256').toString(),
++	    'SHA256:Kyu0EMqH8fzfp9RXKJ6kmsk9qKGBqVRtlOuk6bXfCEU');
++	t.strictEqual(k.comment, 'abc=def=a');
++	t.end();
++});
++
+ var KEY_BREAK = 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzd' +
+     'HAyNTYAAABBBK9+hFGVZ9RT61pg8t7\nEGgkvduhPr/CBYfx+5rQFEROj8EjkoGIH2xypHOH' +
+     'Bz0WikK5hYcwTM5YMvnNxuU0h4+c=';
diff --git a/debian/patches/disable-npm.patch b/debian/patches/disable-npm.patch
index 332afa7..52e2e68 100644
--- a/debian/patches/disable-npm.patch
+++ b/debian/patches/disable-npm.patch
@@ -1,3 +1,4 @@
+Description: Disable npm
 --- a/Makefile
 +++ b/Makefile
 @@ -44,7 +44,7 @@
diff --git a/debian/patches/series b/debian/patches/series
index bf9683c..c156910 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 test-parse-fingerprint.patch
 disable-npm.patch
 use-marked-man.patch
+CVE-2018-3737.diff
diff --git a/debian/patches/use-marked-man.patch b/debian/patches/use-marked-man.patch
index 9e996d6..137e56e 100644
--- a/debian/patches/use-marked-man.patch
+++ b/debian/patches/use-marked-man.patch
@@ -1,3 +1,4 @@
+Description: Use marked man
 --- a/Makefile
 +++ b/Makefile
 @@ -18,7 +18,7 @@
diff --git a/debian/rules b/debian/rules
index da3ae59..d6dd17f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,7 +10,9 @@
 #override_dh_auto_build:
 
 override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
 	tape test/*.js
+endif
 
 override_dh_auto_clean:
 	dh_auto_clean
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..599633e
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/arekinath/node-sshpk/issues
+Contact: https://github.com/arekinath/node-sshpk/issues
+Name: node-sshpk
+Repository: https://github.com/arekinath/node-sshpk.git
+Repository-Browse: https://github.com/arekinath/node-sshpk

--- End Message ---
--- Begin Message ---
Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-sshpk
> 
> Hello,
> 
> I imported upstream patch fo fix #901093, CVE-2018-3737. Here is the
> full changes:
>   * Enable nocheck build profile
>   * Declare compliance with policy 4.3.0
>   * Add patch to fix ReDoS when parsing crafted invalid public keys
>     (Closes: #901093, CVE-2018-3737)
>   * Fix VCS fields
>   * Fix debian/copyright format URL
>   * Add descriptions in patches
>   * Add upstream/metadata
> 
> [...]
> 
> Cheers,
> Xavier
> 
> unblock node-sshpk/1.13.1+dfsg-2
> 

Unblocked, thanks.
~Niels

--- End Message ---

Reply to: