Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi all,
I updated node-superagent for Buster. Now I would like to propose the
security fix for stretch. This fixes CVE-2017-16129 (ZIP bomb attacks).
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 0df52d2..43d031a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-superagent (0.20.0+dfsg-1+deb9u1) stretch; urgency=medium
+
+ * Add patch to fix ZIP bomb attacks (Closes: CVE-2017-16129)
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 18 Apr 2019 20:37:30 +0200
+
node-superagent (0.20.0+dfsg-1) unstable; urgency=medium
* Imported Upstream version 0.20.0+dfsg
diff --git a/debian/patches/CVE-2017-16129.diff b/debian/patches/CVE-2017-16129.diff
new file mode 100644
index 0000000..7fc56a9
--- /dev/null
+++ b/debian/patches/CVE-2017-16129.diff
@@ -0,0 +1,34 @@
+Description: Fix for CVE-2017-16129
+Author: Xavier Guimard <yadd@debian.org>
+Origin: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-16129
+Forwarded: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789
+Last-Update: 2019-04-18
+
+--- a/lib/node/index.js
++++ b/lib/node/index.js
+@@ -898,6 +898,24 @@
+ // explicit parser
+ if (parser) parse = parser;
+
++ if (buffer) {
++ // Protectiona against zip bombs and other nuisance
++ let responseBytesLeft = self._maxResponseSize || 200000000;
++ res.on('data', function(buf) {
++ responseBytesLeft -= buf.byteLength || buf.length;
++ if (responseBytesLeft < 0) {
++ // This will propagate through error event
++ const err = Error("Maximum response size reached");
++ err.code = "ETOOLARGE";
++ // Parsers aren't required to observe error event,
++ // so would incorrectly report success
++ parserHandlesEnd = false;
++ // Will emit error event
++ res.destroy(err);
++ }
++ });
++ }
++
+ // parse
+ if (parse) {
+ try {
diff --git a/debian/patches/series b/debian/patches/series
index c366f88..a44323a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
no_require_readable-stream.patch
+CVE-2017-16129.diff
Reply to: