Bug#935970: stretch-pu: package node-fstream/1.0.10-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
node-fstream is vulnerable to Arbitrary File Overwrite (#931408,
CVE-2019-13173). This little patch fixes the problem.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 8162572..41fb724 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-fstream (1.0.10-1+deb9u1) stretch; urgency=medium
+
+ * Team upload
+ * Clobber a Link if it's in the way of a File
+ (Closes: #931408, CVE-2019-13173)
+
+ -- Xavier Guimard <yadd@debian.org> Wed, 28 Aug 2019 16:49:20 +0200
+
node-fstream (1.0.10-1) unstable; urgency=medium
* New upstream version 1.0.10
diff --git a/debian/patches/CVE-2019-13173.diff b/debian/patches/CVE-2019-13173.diff
new file mode 100644
index 0000000..6adddad
--- /dev/null
+++ b/debian/patches/CVE-2019-13173.diff
@@ -0,0 +1,20 @@
+Description: Clobber a Link if it's in the way of a File
+Author: isaacs <i@izs.me>
+Origin: upstream, https://github.com/npm/fstream/commit/6a77d2f
+Bug: https://www.npmjs.com/advisories/886
+Bug-Debian: https://bugs.debian.org/931408
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2019-08-28
+
+--- a/lib/writer.js
++++ b/lib/writer.js
+@@ -147,7 +147,7 @@
+
+ // if it's a type change, then we need to clobber or error.
+ // if it's not a type change, then let the impl take care of it.
+- if (currentType !== self.type) {
++ if (currentType !== self.type || self.type === 'File' && current.nlink > 1) {
+ return rimraf(self._path, function (er) {
+ if (er) return self.error(er)
+ self._old = null
diff --git a/debian/patches/series b/debian/patches/series
index d1851b7..3e5db07 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
fixtest.patch
+CVE-2019-13173.diff
Reply to: