Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1

To: 927378@bugs.debian.org, Xavier Guimard <yadd@debian.org>
Subject: Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1
From: Paul Gevers <elbrus@debian.org>
Date: Mon, 22 Apr 2019 20:15:07 +0200
Message-id: <[🔎] beba7b41-518a-a57b-7269-85da51690047@debian.org>
Reply-to: Paul Gevers <elbrus@debian.org>, 927378@bugs.debian.org
In-reply-to: <[🔎] 155561304137.9569.8400174068152315722.reportbug@deb007.xnr.fr>
References: <[🔎] 155561304137.9569.8400174068152315722.reportbug@deb007.xnr.fr> <[🔎] 155561304137.9569.8400174068152315722.reportbug@deb007.xnr.fr> <[🔎] 155561304137.9569.8400174068152315722.reportbug@deb007.xnr.fr>

Hi Xavier,

On Thu, 18 Apr 2019 20:44:01 +0200 Xavier Guimard <yadd@debian.org> wrote:
> I updated node-superagent for Buster. Now I would like to propose the
> security fix for stretch. This fixes CVE-2017-16129 (ZIP bomb attacks).

I think your patch seems to be invalid in stretch. When I ran the
autopkgtests in stretch I see the error below, which is exactly the new
code.

Could you please have a look soon?

Paul

https://ci.debian.net/data/autopkgtest/stable/amd64/n/node-superagent/2285440/log.gz

autopkgtest [17:53:58]: test require: [-----------------------
/usr/lib/nodejs/superagent/lib/node/index.js:903
          let responseBytesLeft = self._maxResponseSize || 200000000;
          ^^^

SyntaxError: Block-scoped declarations (let, const, function, class) not
yet supported outside strict mode
    at exports.runInThisContext (vm.js:53:16)
    at Module._compile (module.js:373:25)
    at Object.Module._extensions..js (module.js:416:10)
    at Module.load (module.js:343:32)
    at Function.Module._load (module.js:300:12)
    at Module.require (module.js:353:17)
    at require (internal/module.js:12:17)
    at [eval]:1:1
    at Object.exports.runInThisContext (vm.js:54:17)
    at Object.<anonymous> ([eval]-wrapper:6:22)
autopkgtest [17:53:58]: test require: -----------------------]



https://ci.debian.net/data/autopkgtest/stable/amd64/n/node-supertest/2285441/log.gz

autopkgtest [17:54:01]: test require: [-----------------------
/usr/lib/nodejs/superagent/lib/node/index.js:903
          let responseBytesLeft = self._maxResponseSize || 200000000;
          ^^^

SyntaxError: Block-scoped declarations (let, const, function, class) not
yet supported outside strict mode
    at exports.runInThisContext (vm.js:53:16)
    at Module._compile (module.js:373:25)
    at Object.Module._extensions..js (module.js:416:10)
    at Module.load (module.js:343:32)
    at Function.Module._load (module.js:300:12)
    at Module.require (module.js:353:17)
    at require (internal/module.js:12:17)
    at Object.<anonymous> (/usr/lib/nodejs/supertest/lib/test.js:5:15)
    at Module._compile (module.js:409:26)
    at Object.Module._extensions..js (module.js:416:10)
autopkgtest [17:54:01]: test require: -----------------------]

Reply to:

Follow-Ups:
- Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1
  - From: Xavier <yadd@debian.org>

References:
- Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1
  - From: Xavier Guimard <yadd@debian.org>

Prev by Date: Bug#926888: unblock: wget/1.20.1-1.1
Next by Date: Bug#927754: unblock: libfm-qt/0.14.1-6
Previous by thread: Processed: node-superagent 0.20.0+dfsg-1+deb9u1 flagged for acceptance
Next by thread: Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1
Index(es):
- Date
- Thread