[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#928677: marked as done (unblock: node-mqtt-packet/6.0.0-2)

Your message dated Sat, 11 May 2019 10:04:00 +0000
with message-id <13763f43-8a1f-29a9-e419-b24c875dc350@thykier.net>
and subject line Re: unblock: node-mqtt-packet/6.0.0-2
has caused the Debian Bug report #928677,
regarding unblock: node-mqtt-packet/6.0.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928677
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-mqtt-packet

Hi all,

node-mqtt-packet is vulnerable to CVE-2019-5432 (#928673). I imported
upstream patch which changes only this on installed files:

  diff --git a/parser.js b/parser.js
  --- a/parser.js
  +++ b/parser.js
  @@ -302,6 +302,7 @@ Parser.prototype._parseSubscribe = function () {
       // Parse topic
       topic = this._parseString()
       if (topic === null) return this._emitError(new Error('Cannot parse topic'))
  +    if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload'))
  
       options = this._parseByte()
       qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK

Full changes:
  * Add upstream/metadata
  * Declare compliance with policy 4.3.0
  * Fix malformed subscribe crash (Closes: #928673, CVE-2019-5432)
  * Fix debian/copyright format url
  * Enable upstream test during build

node-mqtt-packet has no reverse dependencies. So I think it is not risky
to upgrade Buster package.

Cheers,
Xavier

unblock node-mqtt-packet/6.0.0-2

diff --git a/debian/changelog b/debian/changelog
index b52e259..0bd7ec1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-mqtt-packet (6.0.0-2) unstable; urgency=medium
+
+  * Team upload
+  * Add upstream/metadata
+  * Declare compliance with policy 4.3.0
+  * Fix malformed subscribe crash (Closes: #928673, CVE-2019-5432)
+  * Fix debian/copyright format url
+  * Enable upstream test during build
+
+ -- Xavier Guimard <yadd@debian.org>  Wed, 08 May 2019 19:27:08 +0200
+
 node-mqtt-packet (6.0.0-1) unstable; urgency=low
 
   * New upstream release
diff --git a/debian/control b/debian/control
index 48e32a0..079e795 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,13 @@ Build-Depends:
  debhelper (>= 10)
  , dh-buildinfo
  , nodejs
-Standards-Version: 4.2.1
+ , node-bl
+ , node-inherits (>= 2.0.3)
+ , node-safe-buffer (>= 5.1.0)
+ , node-process-nextick-args (>= 2.0.0)
+ , node-readable-stream <!nocheck>
+ , node-tape <!nocheck>
+Standards-Version: 4.3.0
 Homepage: https://github.com/mqttjs/mqtt-packet
 Vcs-Git: https://salsa.debian.org/js-team/node-mqtt-packet.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-mqtt-packet
diff --git a/debian/copyright b/debian/copyright
index 218888d..8a2fffa 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: mqtt-packet
 Upstream-Contact: https://github.com/mqttjs/mqtt-packet/issues
 Source: https://github.com/mqttjs/mqtt-packet
diff --git a/debian/patches/CVE-2019-5432.diff b/debian/patches/CVE-2019-5432.diff
new file mode 100644
index 0000000..cb45ae6
--- /dev/null
+++ b/debian/patches/CVE-2019-5432.diff
@@ -0,0 +1,38 @@
+Description: Fix malformed subscribe crash
+Author: Alexander Kaiser <alexander.kaiser@relayr.de>
+Origin: upstream, https://github.com/mqttjs/mqtt-packet/commit/2fdbf0f7d59efc2a4812402d0794711d99704760
+Bug: https://hackerone.com/reports/541354
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Forwarded: not-needed
+Last-Update: 2019-05-08
+
+--- a/parser.js
++++ b/parser.js
+@@ -302,6 +302,7 @@
+     // Parse topic
+     topic = this._parseString()
+     if (topic === null) return this._emitError(new Error('Cannot parse topic'))
++    if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload'))
+ 
+     options = this._parseByte()
+     qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK
+--- a/test.js
++++ b/test.js
+@@ -1714,6 +1714,17 @@
+   38, 0, 4, 116, 101, 115, 116, 0, 4, 116, 101, 115, 116 // userProperties
+ ]))
+ 
++// When a Subscribe packet contains a topic_filter and the given
++// length is topic_filter.length + 1 then the last byte (requested QoS) is interpreted as topic_filter
++// reading the requested_qos at the end causes 'Index out of range' read
++testParseError('Malformed Subscribe Payload', Buffer.from([
++  130, 14, // subscribe header and remaining length
++  0, 123,  // packet ID
++  0, 10,   // topic filter length
++  104, 105, 106, 107, 108, 47, 109, 110, 111,  // topic filter with length of 9 bytes
++  0       // requested QoS
++]))
++
+ test('stops parsing after first error', function (t) {
+   t.plan(4)
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..a352227
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-5432.diff
diff --git a/debian/rules b/debian/rules
index de57af0..1ff29b6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,9 +7,7 @@
 %:
 	dh $@
 
-#override_dh_auto_build:
-
-#override_dh_auto_test:
-
-
-
+override_dh_auto_test:
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
+	tape test.js
+endif
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..c58a86e
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/mqttjs/mqtt-packet/issues
+Contact: https://github.com/mqttjs/mqtt-packet/issues
+Name: mqtt-packet
+Repository: https://github.com/mqttjs/mqtt-packet.git
+Repository-Browse: https://github.com/mqttjs/mqtt-packet

--- End Message ---
--- Begin Message --- 
On Wed, 08 May 2019 19:33:54 +0200 Xavier Guimard <yadd@debian.org> wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-mqtt-packet
> 
> Hi all,
> 
> node-mqtt-packet is vulnerable to CVE-2019-5432 (#928673). I imported
> upstream patch which changes only this on installed files:
> 
>   diff --git a/parser.js b/parser.js
>   --- a/parser.js
>   +++ b/parser.js
>   @@ -302,6 +302,7 @@ Parser.prototype._parseSubscribe = function () {
>        // Parse topic
>        topic = this._parseString()
>        if (topic === null) return this._emitError(new Error('Cannot parse topic'))
>   +    if (this._pos >= packet.length) return this._emitError(new Error('Malformed Subscribe Payload'))
>   
>        options = this._parseByte()
>        qos = options & constants.SUBSCRIBE_OPTIONS_QOS_MASK
> 
> Full changes:
>   * Add upstream/metadata
>   * Declare compliance with policy 4.3.0
>   * Fix malformed subscribe crash (Closes: #928673, CVE-2019-5432)
>   * Fix debian/copyright format url
>   * Enable upstream test during build
> 
> node-mqtt-packet has no reverse dependencies. So I think it is not risky
> to upgrade Buster package.
> 
> Cheers,
> Xavier
> 
> unblock node-mqtt-packet/6.0.0-2

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: