[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990689: marked as done (unblock: node-nodemailer/6.4.17-3)

Your message dated Sun, 4 Jul 2021 23:58:15 +0200
with message-id <YOIu9xTpgwnpao/h@ramacher.at>
and subject line Re: Bug#990689: unblock: node-nodemailer/6.4.17-3
has caused the Debian Bug report #990689,
regarding unblock: node-nodemailer/6.4.17-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990689: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990689
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,yadd@debian.org

Hi Release team,

Please unblock package node-nodemailer

Yadd fixed #990485, CVE-2021-23400 for node-nodemailer in unstable.
Can you please unblock the package (it would not need to, if I
understand correctly, not beeing a key package and having autopkgtests
passing) still to make sure it lands in testing and so in bullseeye
before the release?

Regards,
Salvatore

diff -Nru node-nodemailer-6.4.17/debian/changelog node-nodemailer-6.4.17/debian/changelog
--- node-nodemailer-6.4.17/debian/changelog	2021-01-21 06:26:01.000000000 +0100
+++ node-nodemailer-6.4.17/debian/changelog	2021-06-30 14:59:47.000000000 +0200
@@ -1,3 +1,11 @@
+node-nodemailer (6.4.17-3) unstable; urgency=medium
+
+  * Fix GitHub tags regex
+  * Fix header injection vulnerability in address object
+    (Closes: #990485, CVE-2021-23400)
+
+ -- Yadd <yadd@debian.org>  Wed, 30 Jun 2021 14:59:47 +0200
+
 node-nodemailer (6.4.17-2) unstable; urgency=medium
 
   * Ignore cookie test (Closes: #980702)
diff -Nru node-nodemailer-6.4.17/debian/control node-nodemailer-6.4.17/debian/control
--- node-nodemailer-6.4.17/debian/control	2021-01-21 06:09:40.000000000 +0100
+++ node-nodemailer-6.4.17/debian/control	2021-04-15 20:35:08.000000000 +0200
@@ -2,7 +2,7 @@
 Section: javascript
 Priority: optional
 Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
-Uploaders: Xavier Guimard <yadd@debian.org>
+Uploaders: Yadd <yadd@debian.org>
 Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper-compat (= 13)
diff -Nru node-nodemailer-6.4.17/debian/copyright node-nodemailer-6.4.17/debian/copyright
--- node-nodemailer-6.4.17/debian/copyright	2021-01-21 06:09:40.000000000 +0100
+++ node-nodemailer-6.4.17/debian/copyright	2021-04-15 20:35:08.000000000 +0200
@@ -8,7 +8,7 @@
 License: Expat
 
 Files: debian/*
-Copyright: 2019-2020, Xavier Guimard <yadd@debian.org>
+Copyright: 2019-2020, Yadd <yadd@debian.org>
 License: Expat
 
 Files: debian/tests/test_modules/base32.js/*
diff -Nru node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch
--- node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch	2021-06-30 14:58:51.000000000 +0200
@@ -0,0 +1,80 @@
+Description: fix header injection vulnerability in address object
+Author: Andris Reinman <andris@kreata.ee>
+Origin: upstream, https://github.com/nodemailer/nodemailer/commit/7e02648c
+Bug: https://github.com/nodemailer/nodemailer/issues/1289
+Bug-Debian: https://bugs.debian.org/990485
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-30
+
+--- a/lib/mime-node/index.js
++++ b/lib/mime-node/index.js
+@@ -1130,9 +1130,9 @@
+                 address.address = this._normalizeAddress(address.address);
+ 
+                 if (!address.name) {
+-                    values.push(address.address);
++                    values.push(address.address.indexOf(' ') >= 0 ? `<${address.address}>` : `${address.address}`);
+                 } else if (address.name) {
+-                    values.push(this._encodeAddressName(address.name) + ' <' + address.address + '>');
++                    values.push(`${this._encodeAddressName(address.name)} <${address.address}>`);
+                 }
+ 
+                 if (address.address) {
+@@ -1141,9 +1141,8 @@
+                     }
+                 }
+             } else if (address.group) {
+-                values.push(
+-                    this._encodeAddressName(address.name) + ':' + (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim() + ';'
+-                );
++                let groupListAddresses = (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim();
++                values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`);
+             }
+         });
+ 
+@@ -1157,13 +1156,17 @@
+      * @return {String} address string
+      */
+     _normalizeAddress(address) {
+-        address = (address || '').toString().trim();
++        address = (address || '')
++            .toString()
++            .replace(/[\x00-\x1F<>]+/g, ' ') // remove unallowed characters
++            .trim();
+ 
+         let lastAt = address.lastIndexOf('@');
+         if (lastAt < 0) {
+             // Bare username
+             return address;
+         }
++
+         let user = address.substr(0, lastAt);
+         let domain = address.substr(lastAt + 1);
+ 
+@@ -1172,7 +1175,24 @@
+         // 'jõgeva.ee' will be converted to 'xn--jgeva-dua.ee'
+         // non-unicode domains are left as is
+ 
+-        return user + '@' + punycode.toASCII(domain.toLowerCase());
++        let encodedDomain;
++
++        try {
++            encodedDomain = punycode.toASCII(domain.toLowerCase());
++        } catch (err) {
++            // keep as is?
++        }
++
++        if (user.indexOf(' ') >= 0) {
++            if (user.charAt(0) !== '"') {
++                user = '"' + user;
++            }
++            if (user.substr(-1) !== '"') {
++                user = user + '"';
++            }
++        }
++
++        return `${user}@${encodedDomain}`;
+     }
+ 
+     /**
diff -Nru node-nodemailer-6.4.17/debian/patches/series node-nodemailer-6.4.17/debian/patches/series
--- node-nodemailer-6.4.17/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ node-nodemailer-6.4.17/debian/patches/series	2021-06-30 14:56:41.000000000 +0200
@@ -0,0 +1 @@
+CVE-2021-23400.patch
diff -Nru node-nodemailer-6.4.17/debian/watch node-nodemailer-6.4.17/debian/watch
--- node-nodemailer-6.4.17/debian/watch	2019-10-12 09:57:06.000000000 +0200
+++ node-nodemailer-6.4.17/debian/watch	2021-04-15 20:35:08.000000000 +0200
@@ -2,4 +2,4 @@
 opts=\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-nodemailer-$1.tar.gz/ \
- https://github.com/nodemailer/nodemailer/releases .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/nodemailer/nodemailer/releases .*/archive/.*/v?([\d\.]+).tar.gz

--- End Message ---
--- Begin Message --- 
On 2021-07-04 22:17:54 +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: carnil@debian.org,yadd@debian.org
> 
> Hi Release team,
> 
> Please unblock package node-nodemailer
> 
> Yadd fixed #990485, CVE-2021-23400 for node-nodemailer in unstable.
> Can you please unblock the package (it would not need to, if I
> understand correctly, not beeing a key package and having autopkgtests
> passing) still to make sure it lands in testing and so in bullseeye
> before the release?

Aged to 5 days.

Cheers

> 
> Regards,
> Salvatore

> diff -Nru node-nodemailer-6.4.17/debian/changelog node-nodemailer-6.4.17/debian/changelog
> --- node-nodemailer-6.4.17/debian/changelog	2021-01-21 06:26:01.000000000 +0100
> +++ node-nodemailer-6.4.17/debian/changelog	2021-06-30 14:59:47.000000000 +0200
> @@ -1,3 +1,11 @@
> +node-nodemailer (6.4.17-3) unstable; urgency=medium
> +
> +  * Fix GitHub tags regex
> +  * Fix header injection vulnerability in address object
> +    (Closes: #990485, CVE-2021-23400)
> +
> + -- Yadd <yadd@debian.org>  Wed, 30 Jun 2021 14:59:47 +0200
> +
>  node-nodemailer (6.4.17-2) unstable; urgency=medium
>  
>    * Ignore cookie test (Closes: #980702)
> diff -Nru node-nodemailer-6.4.17/debian/control node-nodemailer-6.4.17/debian/control
> --- node-nodemailer-6.4.17/debian/control	2021-01-21 06:09:40.000000000 +0100
> +++ node-nodemailer-6.4.17/debian/control	2021-04-15 20:35:08.000000000 +0200
> @@ -2,7 +2,7 @@
>  Section: javascript
>  Priority: optional
>  Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
> -Uploaders: Xavier Guimard <yadd@debian.org>
> +Uploaders: Yadd <yadd@debian.org>
>  Testsuite: autopkgtest-pkg-nodejs
>  Build-Depends:
>   debhelper-compat (= 13)
> diff -Nru node-nodemailer-6.4.17/debian/copyright node-nodemailer-6.4.17/debian/copyright
> --- node-nodemailer-6.4.17/debian/copyright	2021-01-21 06:09:40.000000000 +0100
> +++ node-nodemailer-6.4.17/debian/copyright	2021-04-15 20:35:08.000000000 +0200
> @@ -8,7 +8,7 @@
>  License: Expat
>  
>  Files: debian/*
> -Copyright: 2019-2020, Xavier Guimard <yadd@debian.org>
> +Copyright: 2019-2020, Yadd <yadd@debian.org>
>  License: Expat
>  
>  Files: debian/tests/test_modules/base32.js/*
> diff -Nru node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch
> --- node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch	1970-01-01 01:00:00.000000000 +0100
> +++ node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch	2021-06-30 14:58:51.000000000 +0200
> @@ -0,0 +1,80 @@
> +Description: fix header injection vulnerability in address object
> +Author: Andris Reinman <andris@kreata.ee>
> +Origin: upstream, https://github.com/nodemailer/nodemailer/commit/7e02648c
> +Bug: https://github.com/nodemailer/nodemailer/issues/1289
> +Bug-Debian: https://bugs.debian.org/990485
> +Forwarded: not-needed
> +Reviewed-By: Yadd <yadd@debian.org>
> +Last-Update: 2021-06-30
> +
> +--- a/lib/mime-node/index.js
> ++++ b/lib/mime-node/index.js
> +@@ -1130,9 +1130,9 @@
> +                 address.address = this._normalizeAddress(address.address);
> + 
> +                 if (!address.name) {
> +-                    values.push(address.address);
> ++                    values.push(address.address.indexOf(' ') >= 0 ? `<${address.address}>` : `${address.address}`);
> +                 } else if (address.name) {
> +-                    values.push(this._encodeAddressName(address.name) + ' <' + address.address + '>');
> ++                    values.push(`${this._encodeAddressName(address.name)} <${address.address}>`);
> +                 }
> + 
> +                 if (address.address) {
> +@@ -1141,9 +1141,8 @@
> +                     }
> +                 }
> +             } else if (address.group) {
> +-                values.push(
> +-                    this._encodeAddressName(address.name) + ':' + (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim() + ';'
> +-                );
> ++                let groupListAddresses = (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim();
> ++                values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`);
> +             }
> +         });
> + 
> +@@ -1157,13 +1156,17 @@
> +      * @return {String} address string
> +      */
> +     _normalizeAddress(address) {
> +-        address = (address || '').toString().trim();
> ++        address = (address || '')
> ++            .toString()
> ++            .replace(/[\x00-\x1F<>]+/g, ' ') // remove unallowed characters
> ++            .trim();
> + 
> +         let lastAt = address.lastIndexOf('@');
> +         if (lastAt < 0) {
> +             // Bare username
> +             return address;
> +         }
> ++
> +         let user = address.substr(0, lastAt);
> +         let domain = address.substr(lastAt + 1);
> + 
> +@@ -1172,7 +1175,24 @@
> +         // 'jõgeva.ee' will be converted to 'xn--jgeva-dua.ee'
> +         // non-unicode domains are left as is
> + 
> +-        return user + '@' + punycode.toASCII(domain.toLowerCase());
> ++        let encodedDomain;
> ++
> ++        try {
> ++            encodedDomain = punycode.toASCII(domain.toLowerCase());
> ++        } catch (err) {
> ++            // keep as is?
> ++        }
> ++
> ++        if (user.indexOf(' ') >= 0) {
> ++            if (user.charAt(0) !== '"') {
> ++                user = '"' + user;
> ++            }
> ++            if (user.substr(-1) !== '"') {
> ++                user = user + '"';
> ++            }
> ++        }
> ++
> ++        return `${user}@${encodedDomain}`;
> +     }
> + 
> +     /**
> diff -Nru node-nodemailer-6.4.17/debian/patches/series node-nodemailer-6.4.17/debian/patches/series
> --- node-nodemailer-6.4.17/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
> +++ node-nodemailer-6.4.17/debian/patches/series	2021-06-30 14:56:41.000000000 +0200
> @@ -0,0 +1 @@
> +CVE-2021-23400.patch
> diff -Nru node-nodemailer-6.4.17/debian/watch node-nodemailer-6.4.17/debian/watch
> --- node-nodemailer-6.4.17/debian/watch	2019-10-12 09:57:06.000000000 +0200
> +++ node-nodemailer-6.4.17/debian/watch	2021-04-15 20:35:08.000000000 +0200
> @@ -2,4 +2,4 @@
>  opts=\
>  dversionmangle=auto,\
>  filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-nodemailer-$1.tar.gz/ \
> - https://github.com/nodemailer/nodemailer/releases .*/archive/v?([\d\.]+).tar.gz
> + https://github.com/nodemailer/nodemailer/releases .*/archive/.*/v?([\d\.]+).tar.gz


-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature


--- End Message ---
Reply to: