--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-mongodb/3.1.13+~3.1.11-2+deb10u1
- From: Xavier Guimard <yadd@debian.org>
- Date: Sun, 26 Apr 2020 21:45:28 +0200
- Message-id: <158793032892.404363.1789314459173896837.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
bson (embedded in node-mongodb) is vulnerable to Deserialization of Untrusted
Data. This upstream fix fixes both CVE-2019-2391 and CVE-2020-7610.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 7b663b5..5ee648d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-mongodb (3.1.13+~3.1.11-2+deb10u1) buster; urgency=medium
+
+ * Throw if invalid _bsontype is detected
+ (Closes: CVE-2019-2391, CVE-2020-7610)
+
+ -- Xavier Guimard <yadd@debian.org> Sun, 26 Apr 2020 21:41:23 +0200
+
node-mongodb (3.1.13+~3.1.11-2) unstable; urgency=medium
* Remove bson tests (Closes: #923353)
diff --git a/debian/patches/fix-json-parsing.diff b/debian/patches/fix-json-parsing.diff
new file mode 100644
index 0000000..f4b9c44
--- /dev/null
+++ b/debian/patches/fix-json-parsing.diff
@@ -0,0 +1,73 @@
+Description: throw if invalid _bsontype is detected
+ Closes: CVE-2019-2391, CVE-2020-7610
+Author: Matt Broadstone
+Bug: https://snyk.io/vuln/SNYK-JS-BSON-561052
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-04-26
+
+--- a/bson/browser_build/bson.js
++++ b/bson/browser_build/bson.js
+@@ -17074,6 +17074,8 @@
+ index = serializeInt32(buffer, key, value, index, true);
+ } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ index = serializeMinMax(buffer, key, value, index, true);
++ } else if (typeof value['_bsontype'] !== 'undefined') {
++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ }
+ }
+ } else if (object instanceof Map) {
+@@ -17152,6 +17154,8 @@
+ index = serializeInt32(buffer, key, value, index);
+ } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ index = serializeMinMax(buffer, key, value, index);
++ } else if (typeof value['_bsontype'] !== 'undefined') {
++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ }
+ }
+ } else {
+@@ -17233,6 +17237,8 @@
+ index = serializeInt32(buffer, key, value, index);
+ } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ index = serializeMinMax(buffer, key, value, index);
++ } else if (typeof value['_bsontype'] !== 'undefined') {
++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ }
+ }
+ }
+@@ -17745,4 +17751,4 @@
+ /***/ })
+ /******/ ])
+ });
+-;
+\ No newline at end of file
++;
+--- a/bson/lib/bson/parser/serializer.js
++++ b/bson/lib/bson/parser/serializer.js
+@@ -778,6 +778,8 @@
+ index = serializeInt32(buffer, key, value, index, true);
+ } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ index = serializeMinMax(buffer, key, value, index, true);
++ } else if (typeof value['_bsontype'] !== 'undefined') {
++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ }
+ }
+ } else if (object instanceof Map) {
+@@ -876,6 +878,8 @@
+ index = serializeInt32(buffer, key, value, index);
+ } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ index = serializeMinMax(buffer, key, value, index);
++ } else if (typeof value['_bsontype'] !== 'undefined') {
++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ }
+ }
+ } else {
+@@ -978,6 +982,8 @@
+ index = serializeInt32(buffer, key, value, index);
+ } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ index = serializeMinMax(buffer, key, value, index);
++ } else if (typeof value['_bsontype'] !== 'undefined') {
++ throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index a92eae2..a27d49a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
remove-privacy-leak.patch
remove-dependency-versions.patch
+fix-json-parsing.diff
--- End Message ---