--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-mqtt-packet
Hi all,
node-mqtt-packet is vulnerable to CVE-2019-5432 (#928673). I imported
upstream patch which changes only this on installed files:
diff --git a/parser.js b/parser.js
--- a/parser.js
+++ b/parser.js
@@ -302,6 +302,7 @@ Parser.prototype._parseSubscribe = function () {
// Parse topic
topic = this._parseString()
if (topic === null) return this._emitError(new Error('Cannot parse topic'))
+ if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload'))
options = this._parseByte()
qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK
Full changes:
* Add upstream/metadata
* Declare compliance with policy 4.3.0
* Fix malformed subscribe crash (Closes: #928673, CVE-2019-5432)
* Fix debian/copyright format url
* Enable upstream test during build
node-mqtt-packet has no reverse dependencies. So I think it is not risky
to upgrade Buster package.
Cheers,
Xavier
unblock node-mqtt-packet/6.0.0-2
diff --git a/debian/changelog b/debian/changelog
index b52e259..0bd7ec1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-mqtt-packet (6.0.0-2) unstable; urgency=medium
+
+ * Team upload
+ * Add upstream/metadata
+ * Declare compliance with policy 4.3.0
+ * Fix malformed subscribe crash (Closes: #928673, CVE-2019-5432)
+ * Fix debian/copyright format url
+ * Enable upstream test during build
+
+ -- Xavier Guimard <yadd@debian.org> Wed, 08 May 2019 19:27:08 +0200
+
node-mqtt-packet (6.0.0-1) unstable; urgency=low
* New upstream release
diff --git a/debian/control b/debian/control
index 48e32a0..079e795 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,13 @@ Build-Depends:
debhelper (>= 10)
, dh-buildinfo
, nodejs
-Standards-Version: 4.2.1
+ , node-bl
+ , node-inherits (>= 2.0.3)
+ , node-safe-buffer (>= 5.1.0)
+ , node-process-nextick-args (>= 2.0.0)
+ , node-readable-stream <!nocheck>
+ , node-tape <!nocheck>
+Standards-Version: 4.3.0
Homepage: https://github.com/mqttjs/mqtt-packet
Vcs-Git: https://salsa.debian.org/js-team/node-mqtt-packet.git
Vcs-Browser: https://salsa.debian.org/js-team/node-mqtt-packet
diff --git a/debian/copyright b/debian/copyright
index 218888d..8a2fffa 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: mqtt-packet
Upstream-Contact: https://github.com/mqttjs/mqtt-packet/issues
Source: https://github.com/mqttjs/mqtt-packet
diff --git a/debian/patches/CVE-2019-5432.diff b/debian/patches/CVE-2019-5432.diff
new file mode 100644
index 0000000..cb45ae6
--- /dev/null
+++ b/debian/patches/CVE-2019-5432.diff
@@ -0,0 +1,38 @@
+Description: Fix malformed subscribe crash
+Author: Alexander Kaiser <alexander.kaiser@relayr.de>
+Origin: upstream, https://github.com/mqttjs/mqtt-packet/commit/2fdbf0f7d59efc2a4812402d0794711d99704760
+Bug: https://hackerone.com/reports/541354
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Forwarded: not-needed
+Last-Update: 2019-05-08
+
+--- a/parser.js
++++ b/parser.js
+@@ -302,6 +302,7 @@
+ // Parse topic
+ topic = this._parseString()
+ if (topic === null) return this._emitError(new Error('Cannot parse topic'))
++ if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload'))
+
+ options = this._parseByte()
+ qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK
+--- a/test.js
++++ b/test.js
+@@ -1714,6 +1714,17 @@
+ 38, 0, 4, 116, 101, 115, 116, 0, 4, 116, 101, 115, 116 // userProperties
+ ]))
+
++// When a Subscribe packet contains a topic_filter and the given
++// length is topic_filter.length + 1 then the last byte (requested QoS) is interpreted as topic_filter
++// reading the requested_qos at the end causes 'Index out of range' read
++testParseError('Malformed Subscribe Payload', Buffer.from([
++ 130, 14, // subscribe header and remaining length
++ 0, 123, // packet ID
++ 0, 10, // topic filter length
++ 104, 105, 106, 107, 108, 47, 109, 110, 111, // topic filter with length of 9 bytes
++ 0 // requested QoS
++]))
++
+ test('stops parsing after first error', function (t) {
+ t.plan(4)
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..a352227
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-5432.diff
diff --git a/debian/rules b/debian/rules
index de57af0..1ff29b6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,9 +7,7 @@
%:
dh $@
-#override_dh_auto_build:
-
-#override_dh_auto_test:
-
-
-
+override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
+ tape test.js
+endif
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..c58a86e
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/mqttjs/mqtt-packet/issues
+Contact: https://github.com/mqttjs/mqtt-packet/issues
+Name: mqtt-packet
+Repository: https://github.com/mqttjs/mqtt-packet.git
+Repository-Browse: https://github.com/mqttjs/mqtt-packet
--- End Message ---