Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

To: Mattia Rizzolo <mattia@debian.org>, 947758@bugs.debian.org
Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, Paul Gevers <elbrus@debian.org>
Subject: Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
From: Xavier <yadd@debian.org>
Date: Mon, 4 May 2020 22:02:32 +0200
Message-id: <[🔎] ca230b5a-12af-48a8-afcc-409778cb6a90@debian.org>
Reply-to: Xavier <yadd@debian.org>, 947758@bugs.debian.org
In-reply-to: <[🔎] 20200504165326.GU1318501@mapreri.org>
References: <f332b8014193963568e9ba2ad92ffcc75305b8d6.camel@adam-barratt.org.uk> <3361180f-be1d-8801-f484-239b4ae5301e@debian.org> <3361180f-be1d-8801-f484-239b4ae5301e@debian.org> <157768871379.678655.1820481871895083744.reportbug@deb007.xnr.fr> <877f2e39-a357-8eae-01c5-a57d8f1af99c@debian.org> <[🔎] 7bdcf9dec6bc1f20a13c188e1806cec74f3d2a50.camel@adam-barratt.org.uk> <[🔎] 4c02f7c4-71d2-1379-6f39-f7b96165aecf@debian.org> <[🔎] 76927e4295e5ccb6d5020b1fe0c9fd6c286d8bca.camel@adam-barratt.org.uk> <157768871379.678655.1820481871895083744.reportbug@deb007.xnr.fr> <[🔎] 2e34fc23-512f-8acc-960d-0d478b0b99bf@debian.org> <[🔎] 20200504165326.GU1318501@mapreri.org> <157768871379.678655.1820481871895083744.reportbug@deb007.xnr.fr>

Le 04/05/2020 à 18:53, Mattia Rizzolo a écrit :
> Hi,
> 
> let me reply before adsb has a chance ;)
> 
> On Mon, May 04, 2020 at 02:24:20PM +0200, Xavier wrote:
>> Finally I found a way to fix CVE and keep autopkgtest OK
>> (node-markdown-it-html5-embed). Here is a debdiff for a future point release
> 
> This is good, however,
> 
>> diff --git a/debian/changelog b/debian/changelog
>> index b985661..64df8db 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,11 @@
>> +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
>> +
>> +  * Team upload
>> +  * Disallow calling "helperMissing" and "blockHelperMissing" directly
>> +    (Closes: CVE-2019-19919)
>> +
>> + -- Xavier Guimard <yadd@debian.org>  Mon, 04 May 2020 14:21:11 +0200
> 
> By now 3:4.1.0-1+deb10u1 is already accepted in p-u, built and all, and
> it can't really be removed from there and replaced by a same-versined
> pacakge.
> 
> Please prepare a +deb10u2 version, and post here a debdiff against the
> already uploaded +deb10u1 one.

Is it good so ?

diff --git a/debian/changelog b/debian/changelog
index 95811b9..e49c409 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-handlebars (3:4.1.0-1+deb10u2) buster; urgency=medium
+
+  * Fix regression introduced in 3:4.1.0-1+deb10u1
+
+ -- Xavier Guimard <yadd@debian.org>  Mon, 04 May 2020 22:01:16 +0200
+
 node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2019-19919.patch b/debian/patches/CVE-2019-19919.patch
index f63f106..d34e77a 100644
--- a/debian/patches/CVE-2019-19919.patch
+++ b/debian/patches/CVE-2019-19919.patch
@@ -75,6 +75,21 @@ Last-Update: 2019-12-30
        );
      }
  
+--- a/lib/handlebars/helpers.js
++++ b/lib/handlebars/helpers.js
+@@ -15,3 +15,12 @@
+   registerLookup(instance);
+   registerWith(instance);
+ }
++
++export function moveHelperToHooks(instance, helperName, keepHelper) {
++  if (instance.helpers[helperName]) {
++    instance.hooks[helperName] = instance.helpers[helperName];
++    if (!keepHelper) {
++      delete instance.helpers[helperName];
++    }
++  }
++}
 --- a/lib/handlebars/runtime.js
 +++ b/lib/handlebars/runtime.js
 @@ -1,6 +1,7 @@

Reply to:

References:
- Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
  - From: Xavier <yadd@debian.org>
- Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
  - From: Xavier <yadd@debian.org>
- Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
  - From: Mattia Rizzolo <mattia@debian.org>

Prev by Date: Bug#946779: marked as done (buster-pu: package logrotate/3.14.0-4)
Next by Date: Bug#959723: RM: matrix-synapse/0.99.2-6 -- ROM; security issues; obsolete version
Previous by thread: Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Next by thread: Bug#959429: RM: libmicrodns/0.0.10-1
Index(es):
- Date
- Thread