--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-bl/1.1.2-1+deb10u1
- From: Xavier Guimard <yadd@debian.org>
- Date: Mon, 31 Aug 2020 21:09:58 +0200
- Message-id: <159890099810.183974.9792477676824955070.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-bl is vunerable to CVE-2020-8244 (#969309): A buffer over-read
vulnerability exists which could allow an attacker to supply user input
(even typed) that if it ends up in consume() argument and can become
negative, the BufferList state can be corrupted, tricking it into exposing
uninitialized memory via regular .slice() calls.
I simply imported upstream change
Origin: https://github.com/rvagg/bl/commit/d3e240e3
Bug: https://hackerone.com/reports/966347
Bug-Debian: https://bugs.debian.org/969309
[ Impact ]
Vulnerability stays.
[ Tests ]
Change is simple and test passed (during build)
[ Risks ]
Low risk: change isn't big and test passed
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The patch just check better buffer size
diff --git a/debian/changelog b/debian/changelog
index c041e5a..462fb49 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-bl (1.1.2-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Add patch to fix over-read vulnerability (Closes: #969309, CVE-2020-8244)
+
+ -- Xavier Guimard <yadd@debian.org> Mon, 31 Aug 2020 10:35:09 +0200
+
node-bl (1.1.2-1) unstable; urgency=low
* Team upload.
diff --git a/debian/patches/CVE-2020-8244.diff b/debian/patches/CVE-2020-8244.diff
new file mode 100644
index 0000000..5512d60
--- /dev/null
+++ b/debian/patches/CVE-2020-8244.diff
@@ -0,0 +1,53 @@
+Description: fix buffer over-read vulnerability
+ CVE-2020-8244:
+ A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and
+ <2.2.1 which could allow an attacker to supply user input (even
+ typed) that if it ends up in consume() argument and can become
+ negative, the BufferList state can be corrupted, tricking it into
+ exposing uninitialized memory via regular .slice() calls.
+Author: Matteo Collina <matteo.collina@gmail.com>
+Origin: upstream, https://github.com/rvagg/bl/commit/d3e240e3
+Bug: https://hackerone.com/reports/966347
+Bug-Debian: https://bugs.debian.org/969309
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-08-31
+
+--- a/bl.js
++++ b/bl.js
+@@ -159,18 +159,22 @@
+
+ if (bytes > l) {
+ this._bufs[i].copy(dst, bufoff, start)
++ bufoff += l
+ } else {
+ this._bufs[i].copy(dst, bufoff, start, start + bytes)
++ bufoff += l
+ break
+ }
+
+- bufoff += l
+ bytes -= l
+
+ if (start)
+ start = 0
+ }
+
++ // safeguard so that we don't return uninitialized memory
++ if (dst.length > bufoff) return dst.slice(0, bufoff)
++
+ return dst
+ }
+
+@@ -179,6 +183,11 @@
+ }
+
+ BufferList.prototype.consume = function consume (bytes) {
++ // first, normalize the argument, in accordance with how Buffer does it
++ bytes = Math.trunc(bytes)
++ // do nothing if not a positive number
++ if (Number.isNaN(bytes) || bytes <= 0) return this
++
+ while (this._bufs.length) {
+ if (bytes >= this._bufs[0].length) {
+ bytes -= this._bufs[0].length
diff --git a/debian/patches/series b/debian/patches/series
index 6d46f5b..762aa7d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
00-readable_stream.patch
01-use_tap.patch
+CVE-2020-8244.diff
--- End Message ---