Bug#1010439: bullseye-pu: package node-sqlite3/5.0.0+ds1-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1010439: bullseye-pu: package node-sqlite3/5.0.0+ds1-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Sun, 01 May 2022 17:34:16 +0200
Message-id: <[🔎] 165141925672.1645158.15057012384932718649.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1010439@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-sqlite3 is vulnerable to denian of service (CVE-2022-21227)

[ Impact ]
Medium security issue

[ Tests ]
New test added, passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Check bad arguments

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 32c6f70..88403c9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-sqlite3 (5.0.0+ds1-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix denial-of-service (Closes: CVE-2022-21227)
+
+ -- Yadd <yadd@debian.org>  Sun, 01 May 2022 17:33:33 +0200
+
 node-sqlite3 (5.0.0+ds1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-21227.patch b/debian/patches/CVE-2022-21227.patch
new file mode 100644
index 0000000..e95c94d
--- /dev/null
+++ b/debian/patches/CVE-2022-21227.patch
@@ -0,0 +1,41 @@
+Description: fix segfault of invalid toString() object
+Author: Kewde <kewde@particl.io>
+Origin: upstream, https://github.com/TryGhost/node-sqlite3/commit/593c9d49
+Bug: https://github.com/advisories/GHSA-9qrh-qjmc-5w2p
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-05-01
+
+--- a/src/statement.cc
++++ b/src/statement.cc
+@@ -210,7 +210,13 @@
+         return new Values::Float(pos, source.ToNumber().DoubleValue());
+     }
+     else if (source.IsObject()) {
+-        std::string val = source.ToString().Utf8Value();
++        Napi::String napiVal = source.ToString();
++        // Check whether toString returned a value that is not undefined.
++        if(napiVal.Type() == 0) {
++            return NULL;
++        }
++
++        std::string val = napiVal.Utf8Value();
+         return new Values::Text(pos, val.length(), val.c_str());
+     }
+     else {
+--- a/test/other_objects.test.js
++++ b/test/other_objects.test.js
+@@ -86,4 +86,13 @@
+             });
+         });
+     });
++
++    it('should ignore faulty toString', function(done) {
++        const faulty = { toString: 23 };
++        db.run("INSERT INTO txt_table VALUES(?)", faulty, function (err) {
++            assert.notEqual(err, undefined);
++            done();
++        });
++    });
++
+ });
diff --git a/debian/patches/series b/debian/patches/series
index 327413f..8d03fa0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 disable-hard-test.patch
+CVE-2022-21227.patch

Reply to:

Follow-Ups:
- Bug#1010439: bullseye-pu: package node-sqlite3/5.0.0+ds1-1+deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1010439: bullseye-pu: package node-sqlite3/5.0.0+ds1-1+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1010439: node-sqlite3 5.0.0+ds1-1+deb11u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#1010438: transition: nodejs
Next by Date: NEW changes in stable-new
Previous by thread: Bug#1010438: marked as done (transition: nodejs)
Next by thread: Bug#1010439: bullseye-pu: package node-sqlite3/5.0.0+ds1-1+deb11u1
Index(es):
- Date
- Thread