[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927699: marked as done (unblock: node-mixin-deep/1.1.3-3)

Your message dated Mon, 22 Apr 2019 07:21:00 +0000
with message-id <070f1b17-5e03-03f6-7b80-0546ce37d005@thykier.net>
and subject line Re: Bug#927699: unblock: node-mixin-deep/1.1.3-3
has caused the Debian Bug report #927699,
regarding unblock: node-mixin-deep/1.1.3-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927699: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927699
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-mixin-deep

Hi all,

node-mixin-deep is vulnerable to a prototype pollution[1]. I fixed this
using upstream commit. Full changes:
  * Add upstream/metadata
  * Declare compliance with policy 4.3.0
  * Change section to javascript
  * Fix prototype pollution (Closes: #898315, CVE-2018-3719)
  * Switch tests to pkg-js-tools
  * Fix VCS fields
  * Fix debian/copyright

Main reverse-dependencies:
 - webpack
 - gulp
 - rollup & rollup plugins

Change on installed files is just a control to avoid prototype pollution
(see debian/patches/CVE-2018-3719.diff). So I think it is low risky to
upgrade node-mixin-deep.

Cheers,
Xavier

[1]: https://security-tracker.debian.org/tracker/CVE-2018-3719
     https://bugs.debian.org/898315

unblock node-mixin-deep/1.1.3-3

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'testing-proposed-updates'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index 2e47d2e..17cb287 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+node-mixin-deep (1.1.3-3) unstable; urgency=medium
+
+  * Team upload
+  * Back to debhelper 9 (Buster freeze)
+
+ -- Xavier Guimard <yadd@debian.org>  Sun, 21 Apr 2019 14:34:56 +0200
+
+node-mixin-deep (1.1.3-2) unstable; urgency=medium
+
+  * Team upload
+  * Add upstream/metadata
+  * Declare compliance with policy 4.3.0
+  * Change section to javascript
+  * Fix prototype pollution (Closes: #898315, CVE-2018-3719)
+  * Switch tests to pkg-js-tools
+  * Fix VCS fields
+  * Fix debian/copyright
+
+ -- Xavier Guimard <yadd@debian.org>  Sun, 21 Apr 2019 14:24:15 +0200
+
 node-mixin-deep (1.1.3-1) unstable; urgency=low
 
   * Initial release (Closes: #842329)
diff --git a/debian/control b/debian/control
index bf5ce1c..a305397 100644
--- a/debian/control
+++ b/debian/control
@@ -1,8 +1,9 @@
 Source: node-mixin-deep
-Section: web
+Section: javascript
 Priority: optional
 Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
 Uploaders: Sruthi Chandran <srud@disroot.org>
+Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper (>= 9)
  , dh-buildinfo
@@ -11,10 +12,11 @@ Build-Depends:
  , node-should
  , node-is-extendable (>= 0.1.1)
  , node-for-in (>= 0.1.4)
-Standards-Version: 3.9.8
+ , pkg-js-tools
+Standards-Version: 4.3.0
 Homepage: https://github.com/jonschlinkert/mixin-deep
-Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-mixin-deep.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-mixin-deep.git
+Vcs-Browser: https://salsa.debian.org/js-team/node-mixin-deep
+Vcs-Git: https://salsa.debian.org/js-team/node-mixin-deep.git
 
 Package: node-mixin-deep
 Architecture: all
diff --git a/debian/copyright b/debian/copyright
index 1e90e8f..42f57f3 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,10 +1,10 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: mixin-deep
 Upstream-Contact: https://github.com/jonschlinkert/mixin-deep/issues
 Source: https://github.com/jonschlinkert/mixin-deep
 
 Files: *
-Copyright: 2016 Jon Schlinkert (https://github.com/jonschlinkert)
+Copyright: 2014-2015 Jon Schlinkert (https://github.com/jonschlinkert)
 License: Expat
 
 Files: debian/*
@@ -31,4 +31,3 @@ License: Expat
  ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  SOFTWARE.
-
diff --git a/debian/patches/CVE-2018-3719.diff b/debian/patches/CVE-2018-3719.diff
new file mode 100644
index 0000000..868f5bb
--- /dev/null
+++ b/debian/patches/CVE-2018-3719.diff
@@ -0,0 +1,22 @@
+Description: Fix prototype pollution (CVE-2018-3719)
+Author: Jon Schlinkert <https://github.com/jonschlinkert>
+Origin: upstream, https://github.com/jonschlinkert/mixin-deep/commit/578b0bc5e74e14de9ef4975f504dc698796bdf9c
+Bug: https://www.npmjs.com/advisories/578
+Bug-Debian: https://bugs.debian.org/898315
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-04-21
+
+--- a/index.js
++++ b/index.js
+@@ -23,6 +23,10 @@
+  */
+ 
+ function copy(val, key) {
++  if (key === '__proto__') {
++    return;
++  }
++
+   var obj = this[key];
+   if (isObject(val) && isObject(obj)) {
+     mixinDeep(obj, val);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..9b10403
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2018-3719.diff
diff --git a/debian/rules b/debian/rules
index 9eb6b18..20809a4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,11 +5,4 @@
 #export DH_VERBOSE=1
 
 %:
-	dh $@
-
-#override_dh_auto_build:
-
-override_dh_auto_test:
-	mocha -R spec
-
-
+	dh $@ --with nodejs
diff --git a/debian/tests/control b/debian/tests/control
deleted file mode 100644
index 588a506..0000000
--- a/debian/tests/control
+++ /dev/null
@@ -1,5 +0,0 @@
-Tests: require
-Depends: node-mixin-deep
-
-Test-Command: mocha -R spec
-Depends: @, @builddeps@
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
new file mode 100644
index 0000000..00882e2
--- /dev/null
+++ b/debian/tests/pkg-js/test
@@ -0,0 +1 @@
+mocha -R spec --timeout 10000
diff --git a/debian/tests/require b/debian/tests/require
deleted file mode 100644
index 02a037e..0000000
--- a/debian/tests/require
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-set -e
-nodejs -e "require('mixin-deep');"
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..120af8f
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/jonschlinkert/mixin-deep/issues
+Contact: https://github.com/jonschlinkert/mixin-deep/issues
+Name: mixin-deep
+Repository: https://github.com/jonschlinkert/mixin-deep.git
+Repository-Browse: https://github.com/jonschlinkert/mixin-deep

--- End Message ---
--- Begin Message --- 
Xavier:
> Control: reopen -1
> 
> Hello,
> 
> node-mixin-deep/1.1.3-3 seems not unblocked (perhaps did you unblock
> node-mixin-deep/1.1.3-2 ?)
> 
> Cheers,
> Xavier
> 

Indeed, thanks for the heads up.  I have corrected the unblock hint.

~Niels

--- End Message ---
Reply to: