[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927378: stretch-pu: package node-superagent/0.20.0+dfsg-1+deb9u1

Le 22/04/2019 à 20:15, Paul Gevers a écrit :
> Hi Xavier,
> 
> On Thu, 18 Apr 2019 20:44:01 +0200 Xavier Guimard <yadd@debian.org> wrote:
>> I updated node-superagent for Buster. Now I would like to propose the
>> security fix for stretch. This fixes CVE-2017-16129 (ZIP bomb attacks).
> 
> I think your patch seems to be invalid in stretch. When I ran the
> autopkgtests in stretch I see the error below, which is exactly the new
> code.
> 
> Could you please have a look soon?
> 
> Paul

Hello,

sorry for this error in my tests. Here is a new debdiff (let replaced by
var for old nodejs, no consequences here since this variable isn't used
somewhere else).

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 0df52d2..645a574 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-superagent (0.20.0+dfsg-1+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * Add patch to fix ZIP bomb attacks (Closes: CVE-2017-16129)
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 18 Apr 2019 20:37:30 +0200
+
 node-superagent (0.20.0+dfsg-1) unstable; urgency=medium
 
   * Imported Upstream version 0.20.0+dfsg
diff --git a/debian/patches/CVE-2017-16129.diff b/debian/patches/CVE-2017-16129.diff
new file mode 100644
index 0000000..bedfe20
--- /dev/null
+++ b/debian/patches/CVE-2017-16129.diff
@@ -0,0 +1,34 @@
+Description: Fix for CVE-2017-16129
+Author: Xavier Guimard <yadd@debian.org>
+Origin: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789
+Bug: https://security-tracker.debian.org/tracker/CVE-2017-16129
+Forwarded: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789
+Last-Update: 2019-04-18
+
+--- a/lib/node/index.js
++++ b/lib/node/index.js
+@@ -898,6 +898,24 @@
+     // explicit parser
+     if (parser) parse = parser;
+ 
++        if (buffer) {
++          // Protection against zip bombs and other nuisance
++          var responseBytesLeft = self._maxResponseSize || 200000000;
++          res.on('data', function(buf) {
++            responseBytesLeft -= buf.byteLength || buf.length;
++            if (responseBytesLeft < 0) {
++              // This will propagate through error event
++              const err = Error("Maximum response size reached");
++              err.code = "ETOOLARGE";
++              // Parsers aren't required to observe error event,
++              // so would incorrectly report success
++              parserHandlesEnd = false;
++              // Will emit error event
++              res.destroy(err);
++            }
++          });
++        }
++
+     // parse
+     if (parse) {
+       try {
diff --git a/debian/patches/series b/debian/patches/series
index c366f88..a44323a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 no_require_readable-stream.patch
+CVE-2017-16129.diff
Reply to: