Bug#1004033: bullseye-pu: package node-fetch/2.6.1-5+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1004033: bullseye-pu: package node-fetch/2.6.1-5+deb11u1
From: Yadd <yadd@debian.org>
Date: Wed, 19 Jan 2022 16:49:10 +0100
Message-id: <[🔎] 164260735098.1829095.2326089725185686916.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1004033@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-fetch is vulnerable to privacy breach (CVE-2022-0235)

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed

[ Risks ]
Low risk, patch just cleans headers

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Clean headers before request

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 7f3da38..31eb312 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-fetch (2.6.1-5+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Don't forward secure headers to 3th party (Closes: CVE-2022-0235)
+
+ -- Yadd <yadd@debian.org>  Wed, 19 Jan 2022 16:46:28 +0100
+
 node-fetch (2.6.1-5) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0235.patch b/debian/patches/CVE-2022-0235.patch
new file mode 100644
index 0000000..d97cd7a
--- /dev/null
+++ b/debian/patches/CVE-2022-0235.patch
@@ -0,0 +1,22 @@
+Description: don't forward secure headers to 3th party
+Author: Jimmy Wärting <jimmy@warting.se>
+Origin: upstream, https://github.com/node-fetch/node-fetch/commit/f5d3cf5e
+Bug: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-01-19
+
+--- a/src/index.js
++++ b/src/index.js
+@@ -170,6 +170,11 @@
+ 							requestOpts.body = undefined;
+ 							requestOpts.headers.delete('content-length');
+ 						}
++                        if (!isDomainOrSubdomain(request.url, locationURL)) {
++							for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
++								requestOptions.headers.delete(name);
++							}
++						}
+ 
+ 						// HTTP-redirect fetch step 15
+ 						resolve(fetch(new Request(locationURL, requestOpts)));
diff --git a/debian/patches/series b/debian/patches/series
index 882f8ed..20c4319 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 babelrc.patch
 fix-default-export.diff
 drop-legacy-rollup-babel-plugin.patch
+CVE-2022-0235.patch

Reply to:

Prev by Date: Bug#1003948: bullseye-pu: package systemd/247.3-7
Next by Date: Bug#976811: [pkg-php-pear] Bug#976811: transition: php8.1
Previous by thread: Uploading linux (5.15.15-1)
Next by thread: Bug#1004049: buster-pu: package zziplib/0.13.62-3.2+deb10u1
Index(es):
- Date
- Thread