--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package node-form-data/4.0.1-1+deb12u1
- From: Yadd <yadd@debian.org>
- Date: Thu, 24 Jul 2025 12:56:02 +0200
- Message-id: <175335456208.1657087.9308100070721499260.reportbug@yadd-217.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-form-data@packages.debian.org, yadd@debian.org
Control: affects -1 + src:node-form-data
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-form-data is vulnerable to an insufficiently random values
vulnerability (#1109551, CVE-2025-7783)
[ Impact ]
Low level security issue
[ Tests ]
Test updated inside the patch
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Replace the use of "Math.random" by builtin "crypto" module
- Launch more tests during build/autopkgtest
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 6f6f3d7..bf5e7c8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-form-data (4.0.1-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Fix "Insufficiently Random Values vulnerability"
+ (Closes: #1109551, CVE-2025-778)
+ * Launch more tests
+
+ -- Yadd <yadd@debian.org> Thu, 24 Jul 2025 12:50:50 +0200
+
node-form-data (4.0.1-1) unstable; urgency=medium
* Team upload
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..e72f68d
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1 @@
+test/tmp/
diff --git a/debian/patches/CVE-2025-7783.patch b/debian/patches/CVE-2025-7783.patch
new file mode 100644
index 0000000..a8dc92b
--- /dev/null
+++ b/debian/patches/CVE-2025-7783.patch
@@ -0,0 +1,94 @@
+Description: Switch to using `crypto` random for boundary values
+Author: Ben Shonaldmann <ben@benweissmann.com>
+Origin: upstream, https://github.com/form-data/form-data/commit/3d172308
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1109551
+Forwarded: not-needed
+Applied-Upstream: 4.0.4, commit:3d172308
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2025-07-24
+
+--- a/lib/form_data.js
++++ b/lib/form_data.js
+@@ -6,6 +6,7 @@
+ var parseUrl = require('url').parse;
+ var fs = require('fs');
+ var Stream = require('stream').Stream;
++var crypto = require('crypto');
+ var mime = require('mime-types');
+ var asynckit = require('asynckit');
+ var populate = require('./populate.js');
+@@ -347,12 +348,7 @@
+ FormData.prototype._generateBoundary = function() {
+ // This generates a 50 character boundary similar to those used by Firefox.
+ // They are optimized for boyer-moore parsing.
+- var boundary = '--------------------------';
+- for (var i = 0; i < 24; i++) {
+- boundary += Math.floor(Math.random() * 10).toString(16);
+- }
+-
+- this._boundary = boundary;
++ this._boundary = '--------------------------' + crypto.randomUUID();
+ };
+
+ // Note: getLengthSync DOESN'T calculate streams length
+--- /dev/null
++++ b/test/integration/test-boundary-prediction.js
+@@ -0,0 +1,57 @@
++var common = require('../common');
++var assert = common.assert;
++var FormData = require(common.dir.lib + '/form_data');
++var predictV8Randomness = require('predict-v8-randomness');
++
++var initialSequence = [
++ Math.random(),
++ Math.random(),
++ Math.random(),
++ Math.random(),
++];
++var predictor = new predictV8Randomness.Predictor(initialSequence);
++
++predictor.predictNext(24).then(function (next24RandomOutputs) {
++ var predictedBoundary = next24RandomOutputs
++ .map(function (v) {
++ return Math.floor(v * 10).toString(16);
++ })
++ .join('');
++
++ var boundaryIntro = '----------------------------';
++
++ var payload =
++ 'zzz\r\n' +
++ boundaryIntro +
++ predictedBoundary +
++ '\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' +
++ boundaryIntro +
++ predictedBoundary +
++ '--\r\n';
++
++ var FIELDS = {
++ my_field: {
++ value: payload,
++ },
++ };
++
++ // count total
++ var fieldsPassed = Object.keys(FIELDS).length;
++
++ // prepare form-receiving http server
++ var server = common.testFields(FIELDS, function (fields) {
++ fieldsPassed = fields;
++ });
++
++ server.listen(common.port, function () {
++ var form = new FormData();
++
++ common.actions.populateFields(form, FIELDS);
++
++ common.actions.submit(form, server);
++ });
++
++ process.on('exit', function () {
++ assert.strictEqual(fieldsPassed, 0);
++ });
++});
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..78849cc
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2025-7783.patch
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
index d6ccbd1..03c4342 100644
--- a/debian/tests/pkg-js/test
+++ b/debian/tests/pkg-js/test
@@ -1 +1,24 @@
-NODE_PATH=debian/tests/test_modules node test/common.js
+for test in \
+ test/common.js \
+ test/static.js \
+ test/integration/test-custom-content-type.js \
+ test/integration/test-submit-multi.js \
+ test/integration/test-errors.js \
+ test/integration/test-custom-headers-object.js \
+ test/integration/test-submit-multi-nocallback.js \
+ test/integration/test-custom-headers-string.js \
+ test/integration/test-submit-https.js \
+ test/integration/test-set-boundary.js \
+ test/integration/test-ranged-filestream.js \
+ test/integration/test-return-http-request.js \
+ test/integration/test-submit-readable-stream.js \
+ test/integration/test-form-get-length-sync.js \
+ test/integration/test-submit-url-parsing.js \
+ test/integration/test-last_boundary-line_break.js \
+ test/integration/test-get-buffer.js \
+ test/integration/test-options-override.js \
+ test/integration/test-to-string.js \
+ test/integration/test-form-get-length.js
+do
+ node $test
+done
--- End Message ---