--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package node-raw-body/2.4.1-2+deb11u1
- From: Yadd <yadd@debian.org>
- Date: Fri, 20 May 2022 09:47:15 +0200
- Message-id: <165303283535.3524594.6844400110775726116.reportbug@debian007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Michael.Lescisin@uhn.ca, security@debian.org
[ Reason ]
node-raw-body embeds a patch that creates a Denial-of-Service
vulnerability into node-express.
[ Impact ]
Security issue, a simple request can crash any express application
[ Tests ]
I added a test that proves that bug is fixed: it fails with
node-raw-body 2.4.1-2 and succeeds with 2.4.1-2+deb11u1
[ Risks ]
No risk, Debian package is now exactly what upstream wrote.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Drop patch which replaced node-iconv-lite by node-iconv.
[ Other info ]
Thanks to Michael Lescisin for the report and the fix.
diff --git a/debian/changelog b/debian/changelog
index 1aee9e3..1934161 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-raw-body (2.4.1-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Drop use-iconv-not-lite.patch, fixes node-express potential DoS
+
+ -- Yadd <yadd@debian.org> Fri, 20 May 2022 09:40:23 +0200
+
node-raw-body (2.4.1-2) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 1f6af0c..ee4fab3 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Build-Depends:
, mocha (>= 4) <!nocheck>
, node-bytes (>= 3.0.0) <!nocheck>
, node-http-errors <!nocheck>
- , node-iconv <!nocheck>
+ , node-iconv-lite <!nocheck>
, node-unpipe <!nocheck>
, node-readable-stream <!nocheck>
, node-safe-buffer <!nocheck>
@@ -27,7 +27,7 @@ Depends:
, nodejs
, node-bytes (>= 3.0.0)
, node-http-errors
- , node-iconv
+ , node-iconv-lite
, node-unpipe
Provides: nodetypes-raw-body (= ${source:Version})
Description: Request body length validation supporting streams - Node.js
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index fd1b019..0000000
--- a/debian/patches/series
+++ /dev/null
@@ -1 +0,0 @@
-use-iconv-not-lite.patch
diff --git a/debian/patches/use-iconv-not-lite.patch b/debian/patches/use-iconv-not-lite.patch
deleted file mode 100644
index 121fe49..0000000
--- a/debian/patches/use-iconv-not-lite.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Description: use iconv, not iconv-lite
-Forwarded: not-needed, unless raw-body could be made compatible with both iconv and iconv-lite
-Author: Jérémy Lal <kapouer@melix.org>
-Reviewed-By: Xavier Guimard <yadd@debian.org>
-Last-Update: 2020-01-29
-
---- a/index.js
-+++ b/index.js
-@@ -14,7 +14,7 @@
-
- var bytes = require('bytes')
- var createError = require('http-errors')
--var iconv = require('iconv-lite')
-+var iconv = require('iconv').Iconv
- var unpipe = require('unpipe')
-
- /**
-@@ -29,7 +29,7 @@
- * @private
- */
-
--var ICONV_ENCODING_MESSAGE_REGEXP = /^Encoding not recognized: /
-+var ICONV_ENCODING_MESSAGE_REGEXP = /^(?:Encoding not recognized: |Conversion from \S+ to utf\-8 is not supported)/i
-
- /**
- * Get the decoder for a given encoding.
-@@ -42,7 +42,7 @@
- if (!encoding) return null
-
- try {
-- return iconv.getDecoder(encoding)
-+ return new iconv(encoding,'utf-8')
- } catch (e) {
- // error getting decoder
- if (!ICONV_ENCODING_MESSAGE_REGEXP.test(e.message)) throw e
-@@ -249,7 +249,7 @@
- type: 'entity.too.large'
- }))
- } else if (decoder) {
-- buffer += decoder.write(chunk)
-+ buffer += decoder.convert(chunk)
- } else {
- buffer.push(chunk)
- }
-@@ -268,7 +268,7 @@
- }))
- } else {
- var string = decoder
-- ? buffer + (decoder.end() || '')
-+ ? buffer
- : Buffer.concat(buffer)
- done(null, string)
- }
---- a/package.json
-+++ b/package.json
-@@ -12,7 +12,7 @@
- "dependencies": {
- "bytes": "3.1.0",
- "http-errors": "1.7.3",
-- "iconv-lite": "0.4.24",
-+ "iconv": ">= 2",
- "unpipe": "1.0.0"
- },
- "devDependencies": {
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..6c6f7c2
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
+Tests: express-dos
+Depends: @, node-express, curl
+Restrictions: allow-stderr
diff --git a/debian/tests/express-dos b/debian/tests/express-dos
new file mode 100755
index 0000000..e27e51f
--- /dev/null
+++ b/debian/tests/express-dos
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+node debian/tests/express-dos.js &
+PID=$!
+sleep 1
+HEADERS=`mktemp`
+
+curl --data-raw `perl -le 'print "[".chr(128)."]"'` -D $HEADERS -H 'Content-Type: application/json' http://localhost:56056/test
+curl -d name=val http://localhost:56056/test
+
+grep 400 $HEADERS
+
+CODE=0
+wait $PID || CODE=$?
+
+echo "express app exited with code $CODE"
+exit $CODE
diff --git a/debian/tests/express-dos.js b/debian/tests/express-dos.js
new file mode 100644
index 0000000..b6a3f19
--- /dev/null
+++ b/debian/tests/express-dos.js
@@ -0,0 +1,13 @@
+const express = require('express');
+const app = express();
+var server;
+
+app.use(express.json());
+
+app.post('/test', (req, res) => {
+ console.log(req.body);
+ res.send("OK\n");
+ server.close();
+});
+
+server = app.listen(56056);
--- End Message ---