Bug#1110154: marked as done (unblock: node-form-data/4.0.1-2)

To: Ivo De Decker <ivodd@debian.org>
Subject: Bug#1110154: marked as done (unblock: node-form-data/4.0.1-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 30 Jul 2025 21:35:01 +0000
Message-id: <[🔎] handler.1110154.D1110154.17539112163502725.ackdone@bugs.debian.org>
Reply-to: 1110154@bugs.debian.org
References: <aIqPrME-7CgR0z11@debian.org> <[🔎] 175390963456.4179471.5528886026856671018.reportbug@localhost>

Your message dated Wed, 30 Jul 2025 21:33:32 +0000
with message-id <aIqPrME-7CgR0z11@debian.org>
and subject line Re: unblock: node-form-data/4.0.1-2
has caused the Debian Bug report #1110154,
regarding unblock: node-form-data/4.0.1-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110154: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110154
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: node-form-data/4.0.1-2
From: Adrian Bunk <bunk@debian.org>
Date: Wed, 30 Jul 2025 21:07:14 +0000
Message-id: <[🔎] 175390963456.4179471.5528886026856671018.reportbug@localhost>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: node-form-data@packages.debian.org
Control: affects -1 + src:node-form-data
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-form-data

CVE-2025-7783 fix (with a typo in the changelog),
already accepted for bookworm-pu in #1109819.

Other changes are Standards-Version and running more tests,
the latter succeeded in unstable.

unblock node-form-data/4.0.1-2

diffstat for node-form-data-4.0.1 node-form-data-4.0.1

 changelog                   |   10 ++++
 clean                       |    1 
 control                     |    2 
 patches/CVE-2025-7783.patch |   94 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 tests/pkg-js/test           |   25 +++++++++++
 6 files changed, 131 insertions(+), 2 deletions(-)

diff -Nru node-form-data-4.0.1/debian/changelog node-form-data-4.0.1/debian/changelog
--- node-form-data-4.0.1/debian/changelog	2024-10-14 13:25:40.000000000 +0300
+++ node-form-data-4.0.1/debian/changelog	2025-07-24 13:45:56.000000000 +0300
@@ -1,3 +1,13 @@
+node-form-data (4.0.1-2) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.7.2
+  * Fix "Insufficiently Random Values vulnerability"
+    (Closes: #1109551, CVE-2025-778)
+  * Launch more tests
+
+ -- Yadd <yadd@debian.org>  Thu, 24 Jul 2025 12:45:56 +0200
+
 node-form-data (4.0.1-1) unstable; urgency=medium
 
   * Team upload
diff -Nru node-form-data-4.0.1/debian/clean node-form-data-4.0.1/debian/clean
--- node-form-data-4.0.1/debian/clean	1970-01-01 02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/clean	2025-07-24 12:59:09.000000000 +0300
@@ -0,0 +1 @@
+test/tmp/
diff -Nru node-form-data-4.0.1/debian/control node-form-data-4.0.1/debian/control
--- node-form-data-4.0.1/debian/control	2024-10-14 13:24:23.000000000 +0300
+++ node-form-data-4.0.1/debian/control	2025-07-24 12:40:38.000000000 +0300
@@ -11,7 +11,7 @@
  , node-combined-stream <!nocheck>
  , node-formidable <!nocheck>
  , node-mime-types <!nocheck>
-Standards-Version: 4.7.0
+Standards-Version: 4.7.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-form-data
 Vcs-Git: https://salsa.debian.org/js-team/node-form-data.git
 Homepage: https://github.com/felixge/node-form-data
diff -Nru node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch
--- node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch	1970-01-01 02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch	2025-07-24 13:44:45.000000000 +0300
@@ -0,0 +1,94 @@
+Description: Switch to using `crypto` random for boundary values
+Author: Ben Shonaldmann <ben@benweissmann.com>
+Origin: upstream, https://github.com/form-data/form-data/commit/3d172308
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1109551
+Forwarded: not-needed
+Applied-Upstream: 4.0.4, commit:3d172308
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-07-24
+
+--- a/lib/form_data.js
++++ b/lib/form_data.js
+@@ -6,6 +6,7 @@
+ var parseUrl = require('url').parse;
+ var fs = require('fs');
+ var Stream = require('stream').Stream;
++var crypto = require('crypto');
+ var mime = require('mime-types');
+ var asynckit = require('asynckit');
+ var populate = require('./populate.js');
+@@ -347,12 +348,7 @@
+ FormData.prototype._generateBoundary = function() {
+   // This generates a 50 character boundary similar to those used by Firefox.
+   // They are optimized for boyer-moore parsing.
+-  var boundary = '--------------------------';
+-  for (var i = 0; i < 24; i++) {
+-    boundary += Math.floor(Math.random() * 10).toString(16);
+-  }
+-
+-  this._boundary = boundary;
++  this._boundary = '--------------------------' + crypto.randomUUID();
+ };
+ 
+ // Note: getLengthSync DOESN'T calculate streams length
+--- /dev/null
++++ b/test/integration/test-boundary-prediction.js
+@@ -0,0 +1,57 @@
++var common = require('../common');
++var assert = common.assert;
++var FormData = require(common.dir.lib + '/form_data');
++var predictV8Randomness = require('predict-v8-randomness');
++
++var initialSequence = [
++  Math.random(),
++  Math.random(),
++  Math.random(),
++  Math.random(),
++];
++var predictor = new predictV8Randomness.Predictor(initialSequence);
++
++predictor.predictNext(24).then(function (next24RandomOutputs) {
++  var predictedBoundary = next24RandomOutputs
++    .map(function (v) {
++      return Math.floor(v * 10).toString(16);
++    })
++    .join('');
++
++  var boundaryIntro = '----------------------------';
++
++  var payload =
++    'zzz\r\n' +
++    boundaryIntro +
++    predictedBoundary +
++    '\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' +
++    boundaryIntro +
++    predictedBoundary +
++    '--\r\n';
++
++  var FIELDS = {
++    my_field: {
++      value: payload,
++    },
++  };
++
++  // count total
++  var fieldsPassed = Object.keys(FIELDS).length;
++
++  // prepare form-receiving http server
++  var server = common.testFields(FIELDS, function (fields) {
++    fieldsPassed = fields;
++  });
++
++  server.listen(common.port, function () {
++    var form = new FormData();
++
++    common.actions.populateFields(form, FIELDS);
++
++    common.actions.submit(form, server);
++  });
++
++  process.on('exit', function () {
++    assert.strictEqual(fieldsPassed, 0);
++  });
++});
diff -Nru node-form-data-4.0.1/debian/patches/series node-form-data-4.0.1/debian/patches/series
--- node-form-data-4.0.1/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/patches/series	2025-07-24 12:57:23.000000000 +0300
@@ -0,0 +1 @@
+CVE-2025-7783.patch
diff -Nru node-form-data-4.0.1/debian/tests/pkg-js/test node-form-data-4.0.1/debian/tests/pkg-js/test
--- node-form-data-4.0.1/debian/tests/pkg-js/test	2024-10-14 13:24:23.000000000 +0300
+++ node-form-data-4.0.1/debian/tests/pkg-js/test	2025-07-24 12:58:58.000000000 +0300
@@ -1 +1,24 @@
-NODE_PATH=debian/tests/test_modules node test/common.js
+for test in \
+ test/common.js \
+ test/static.js \
+ test/integration/test-custom-content-type.js \
+ test/integration/test-submit-multi.js \
+ test/integration/test-errors.js \
+ test/integration/test-custom-headers-object.js \
+ test/integration/test-submit-multi-nocallback.js \
+ test/integration/test-custom-headers-string.js \
+ test/integration/test-submit-https.js \
+ test/integration/test-set-boundary.js \
+ test/integration/test-ranged-filestream.js \
+ test/integration/test-return-http-request.js \
+ test/integration/test-submit-readable-stream.js \
+ test/integration/test-form-get-length-sync.js \
+ test/integration/test-submit-url-parsing.js \
+ test/integration/test-last_boundary-line_break.js \
+ test/integration/test-get-buffer.js \
+ test/integration/test-options-override.js \
+ test/integration/test-to-string.js \
+ test/integration/test-form-get-length.js
+do
+	node $test
+done

--- End Message ---

--- Begin Message ---

To: Adrian Bunk <bunk@debian.org>

Cc: 1110154-done@bugs.debian.org

Subject: Re: unblock: node-form-data/4.0.1-2

From: Ivo De Decker <ivodd@debian.org>

Date: Wed, 30 Jul 2025 21:33:32 +0000

Message-id: <aIqPrME-7CgR0z11@debian.org>

In-reply-to: <[🔎] 175390963456.4179471.5528886026856671018.reportbug@localhost>

References: <[🔎] 175390963456.4179471.5528886026856671018.reportbug@localhost>
Hi,

On Wed, Jul 30, 2025 at 09:07:14PM +0000, Adrian Bunk wrote:
> Please unblock package node-form-data

Unblocked.

> CVE-2025-7783 fix (with a typo in the changelog),
> already accepted for bookworm-pu in #1109819.

Can you update the info in the security tracker for CVE-2025-7783? This
version isn't listed as fixing it (probably due to the typo).

Thanks,

Ivo
--- End Message ---

Reply to:

Follow-Ups:
- Bug#1110154: marked as done (unblock: node-form-data/4.0.1-2)
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#1110154: unblock: node-form-data/4.0.1-2
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Bug#1109994: marked as done (unblock: perl/5.40.1-6 (pre-approval))
Next by Date: Bug#1110154: unblock: node-form-data/4.0.1-2
Previous by thread: Processed: unblock: node-form-data/4.0.1-2
Next by thread: Bug#1110154: marked as done (unblock: node-form-data/4.0.1-2)
Index(es):
- Date
- Thread