Bug#990689: unblock: node-nodemailer/6.4.17-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,yadd@debian.org
Hi Release team,
Please unblock package node-nodemailer
Yadd fixed #990485, CVE-2021-23400 for node-nodemailer in unstable.
Can you please unblock the package (it would not need to, if I
understand correctly, not beeing a key package and having autopkgtests
passing) still to make sure it lands in testing and so in bullseeye
before the release?
Regards,
Salvatore
diff -Nru node-nodemailer-6.4.17/debian/changelog node-nodemailer-6.4.17/debian/changelog
--- node-nodemailer-6.4.17/debian/changelog 2021-01-21 06:26:01.000000000 +0100
+++ node-nodemailer-6.4.17/debian/changelog 2021-06-30 14:59:47.000000000 +0200
@@ -1,3 +1,11 @@
+node-nodemailer (6.4.17-3) unstable; urgency=medium
+
+ * Fix GitHub tags regex
+ * Fix header injection vulnerability in address object
+ (Closes: #990485, CVE-2021-23400)
+
+ -- Yadd <yadd@debian.org> Wed, 30 Jun 2021 14:59:47 +0200
+
node-nodemailer (6.4.17-2) unstable; urgency=medium
* Ignore cookie test (Closes: #980702)
diff -Nru node-nodemailer-6.4.17/debian/control node-nodemailer-6.4.17/debian/control
--- node-nodemailer-6.4.17/debian/control 2021-01-21 06:09:40.000000000 +0100
+++ node-nodemailer-6.4.17/debian/control 2021-04-15 20:35:08.000000000 +0200
@@ -2,7 +2,7 @@
Section: javascript
Priority: optional
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
-Uploaders: Xavier Guimard <yadd@debian.org>
+Uploaders: Yadd <yadd@debian.org>
Testsuite: autopkgtest-pkg-nodejs
Build-Depends:
debhelper-compat (= 13)
diff -Nru node-nodemailer-6.4.17/debian/copyright node-nodemailer-6.4.17/debian/copyright
--- node-nodemailer-6.4.17/debian/copyright 2021-01-21 06:09:40.000000000 +0100
+++ node-nodemailer-6.4.17/debian/copyright 2021-04-15 20:35:08.000000000 +0200
@@ -8,7 +8,7 @@
License: Expat
Files: debian/*
-Copyright: 2019-2020, Xavier Guimard <yadd@debian.org>
+Copyright: 2019-2020, Yadd <yadd@debian.org>
License: Expat
Files: debian/tests/test_modules/base32.js/*
diff -Nru node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch
--- node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch 1970-01-01 01:00:00.000000000 +0100
+++ node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch 2021-06-30 14:58:51.000000000 +0200
@@ -0,0 +1,80 @@
+Description: fix header injection vulnerability in address object
+Author: Andris Reinman <andris@kreata.ee>
+Origin: upstream, https://github.com/nodemailer/nodemailer/commit/7e02648c
+Bug: https://github.com/nodemailer/nodemailer/issues/1289
+Bug-Debian: https://bugs.debian.org/990485
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-30
+
+--- a/lib/mime-node/index.js
++++ b/lib/mime-node/index.js
+@@ -1130,9 +1130,9 @@
+ address.address = this._normalizeAddress(address.address);
+
+ if (!address.name) {
+- values.push(address.address);
++ values.push(address.address.indexOf(' ') >= 0 ? `<${address.address}>` : `${address.address}`);
+ } else if (address.name) {
+- values.push(this._encodeAddressName(address.name) + ' <' + address.address + '>');
++ values.push(`${this._encodeAddressName(address.name)} <${address.address}>`);
+ }
+
+ if (address.address) {
+@@ -1141,9 +1141,8 @@
+ }
+ }
+ } else if (address.group) {
+- values.push(
+- this._encodeAddressName(address.name) + ':' + (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim() + ';'
+- );
++ let groupListAddresses = (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim();
++ values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`);
+ }
+ });
+
+@@ -1157,13 +1156,17 @@
+ * @return {String} address string
+ */
+ _normalizeAddress(address) {
+- address = (address || '').toString().trim();
++ address = (address || '')
++ .toString()
++ .replace(/[\x00-\x1F<>]+/g, ' ') // remove unallowed characters
++ .trim();
+
+ let lastAt = address.lastIndexOf('@');
+ if (lastAt < 0) {
+ // Bare username
+ return address;
+ }
++
+ let user = address.substr(0, lastAt);
+ let domain = address.substr(lastAt + 1);
+
+@@ -1172,7 +1175,24 @@
+ // 'jõgeva.ee' will be converted to 'xn--jgeva-dua.ee'
+ // non-unicode domains are left as is
+
+- return user + '@' + punycode.toASCII(domain.toLowerCase());
++ let encodedDomain;
++
++ try {
++ encodedDomain = punycode.toASCII(domain.toLowerCase());
++ } catch (err) {
++ // keep as is?
++ }
++
++ if (user.indexOf(' ') >= 0) {
++ if (user.charAt(0) !== '"') {
++ user = '"' + user;
++ }
++ if (user.substr(-1) !== '"') {
++ user = user + '"';
++ }
++ }
++
++ return `${user}@${encodedDomain}`;
+ }
+
+ /**
diff -Nru node-nodemailer-6.4.17/debian/patches/series node-nodemailer-6.4.17/debian/patches/series
--- node-nodemailer-6.4.17/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ node-nodemailer-6.4.17/debian/patches/series 2021-06-30 14:56:41.000000000 +0200
@@ -0,0 +1 @@
+CVE-2021-23400.patch
diff -Nru node-nodemailer-6.4.17/debian/watch node-nodemailer-6.4.17/debian/watch
--- node-nodemailer-6.4.17/debian/watch 2019-10-12 09:57:06.000000000 +0200
+++ node-nodemailer-6.4.17/debian/watch 2021-04-15 20:35:08.000000000 +0200
@@ -2,4 +2,4 @@
opts=\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-nodemailer-$1.tar.gz/ \
- https://github.com/nodemailer/nodemailer/releases .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/nodemailer/nodemailer/releases .*/archive/.*/v?([\d\.]+).tar.gz
Reply to: