Bug#928626: marked as done (unblock: node-axios/0.17.1+dfsg-2)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#928626: marked as done (unblock: node-axios/0.17.1+dfsg-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 08 May 2019 05:21:06 +0000
Message-id: <[🔎] handler.928626.D928626.155729268216486.ackdone@bugs.debian.org>
Reply-to: 928626@bugs.debian.org
References: <1c41e028-12a1-d09f-5a5e-aabb00d3b387@thykier.net> <[🔎] 155726338406.4518.16142900511388088546.reportbug@deb007.xnr.fr>

Your message dated Wed, 08 May 2019 05:17:00 +0000
with message-id <1c41e028-12a1-d09f-5a5e-aabb00d3b387@thykier.net>
and subject line Re: Bug#928626: unblock: node-axios/0.17.1+dfsg-2
has caused the Debian Bug report #928626,
regarding unblock: node-axios/0.17.1+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928626
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: node-axios/0.17.1+dfsg-2
From: Xavier Guimard <yadd@debian.org>
Date: Tue, 07 May 2019 23:09:44 +0200
Message-id: <[🔎] 155726338406.4518.16142900511388088546.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-axios

Hi all,

node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very
simple:
  --- a/lib/adapters/http.js
  +++ b/lib/adapters/http.js
  @@ -172,6 +172,7 @@
  
             // make sure the content length is not over the maxContentLength if specified
             if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) {
  +           stream.destroy();
               reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
                 config, null, lastRequest));
             }

Full changes:
  * Declare compliance with policy 4.3.0
  * Add upstream/metadata
  * Add patch to destroy stream on exceeding maxContentLength
    (Closes: #928624, CVE-2019-10742)
  * Fix debian/copyright format URL

node-axios has no reverse dependencies.

I think it is low risky to upgrade node-axios in Buster.

Cheers,
Xavier

unblock node-axios/0.17.1+dfsg-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index b79d090..88ae229 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-axios (0.17.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.3.0
+  * Add upstream/metadata
+  * Add patch to destroy stream on exceeding maxContentLength
+    (Closes: #928624, CVE-2019-10742)
+  * Fix debian/copyright format URL
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 07 May 2019 22:59:58 +0200
+
 node-axios (0.17.1+dfsg-1) unstable; urgency=low
 
   * Initial release (Closes: #876067)
diff --git a/debian/control b/debian/control
index 808fda3..7090bf8 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,7 @@ Build-Depends:
  , node-grunt-contrib-nodeunit <!nocheck>
  , node-follow-redirects (>= 1.2.3) <!nocheck>
  , node-is-buffer (>= 1.1.5) <!nocheck>
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://github.com/mzabriskie/axios
 Vcs-Git: https://salsa.debian.org/js-team/node-axios.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-axios
diff --git a/debian/copyright b/debian/copyright
index 8f366c9..7098b5e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: axios
 Upstream-Contact: https://github.com/mzabriskie/axios/issues
 Source: https://github.com/mzabriskie/axios
diff --git a/debian/patches/CVE-2019-10742.diff b/debian/patches/CVE-2019-10742.diff
new file mode 100644
index 0000000..3cb1a36
--- /dev/null
+++ b/debian/patches/CVE-2019-10742.diff
@@ -0,0 +1,18 @@
+Description: Destroy stream on exceeding maxContentLength
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/axios/axios/commit/0d4fca085b9b44e110f4c5a3dd7384c31abaf756
+Bug: https://github.com/axios/axios/issues/1098
+Bug-Debian: https://bugs.debian.org/928624
+Forwarded: not-needed
+Last-Update: 2019-05-07
+
+--- a/lib/adapters/http.js
++++ b/lib/adapters/http.js
+@@ -172,6 +172,7 @@
+ 
+           // make sure the content length is not over the maxContentLength if specified
+           if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) {
++	    stream.destroy();
+             reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
+               config, null, lastRequest));
+           }
diff --git a/debian/patches/series b/debian/patches/series
index f9a8deb..877fd7a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 skip-unneeded-modules.patch
 use-webpack3.patch
+CVE-2019-10742.diff
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..a885fe3
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/mzabriskie/axios/issues
+Contact: https://github.com/mzabriskie/axios/issues
+Name: axios
+Repository: https://github.com/mzabriskie/axios.git
+Repository-Browse: https://github.com/mzabriskie/axios

--- End Message ---

--- Begin Message ---

To: Xavier Guimard <yadd@debian.org>, 928626-done@bugs.debian.org

Subject: Re: Bug#928626: unblock: node-axios/0.17.1+dfsg-2

From: Niels Thykier <niels@thykier.net>

Date: Wed, 08 May 2019 05:17:00 +0000

Message-id: <1c41e028-12a1-d09f-5a5e-aabb00d3b387@thykier.net>

In-reply-to: <[🔎] 155726338406.4518.16142900511388088546.reportbug@deb007.xnr.fr>

References: <[🔎] 155726338406.4518.16142900511388088546.reportbug@deb007.xnr.fr>
Xavier Guimard:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-axios
> 
> Hi all,
> 
> node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very
> simple:
> [...]
> 
> node-axios has no reverse dependencies.
> 
> I think it is low risky to upgrade node-axios in Buster.
> 
> Cheers,
> Xavier
> 
> unblock node-axios/0.17.1+dfsg-2
> 
> [...]

Unblocked, thanks.
~Niels
--- End Message ---

Reply to:

References:
- Bug#928626: unblock: node-axios/0.17.1+dfsg-2
  - From: Xavier Guimard <yadd@debian.org>

Prev by Date: Bug#928638: marked as done (unblock: anthy 1:0.3-8.1)
Next by Date: Bug#928639: marked as done (unblock: mecab-ipadic_2.7.0-20070801+main-2.1)
Previous by thread: Bug#928626: unblock: node-axios/0.17.1+dfsg-2
Next by thread: Bug#928630: unblock: vim/2:8.1.0875-3
Index(es):
- Date
- Thread