[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#969366: marked as done (buster-pu: package node-url-parse/1.2.0-2+deb10u1)

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #969366,
regarding buster-pu: package node-url-parse/1.2.0-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
969366: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969366
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Insufficient validation and sanitization of user input exists in url-parse
npm package version 1.4.4 and earlier may allow attacker to bypass security
checks.

[ Impact ]
Medium security risk

[ Tests ]
Upstream test related to this vulnerability is included in patch. I ran
both build & autopkgtest tests

[ Risks ]
Low risk: test covers all features including CVE fix, change just trim left
to prevent unsantitized input from generating false positives

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
1. "mocha" was missing in build dependencies, causing test failures
2. the upstream fix adds security checks without modifying algorithm

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 04127dd..ee819f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-url-parse (1.2.0-2+deb10u1) buster; urgency=medium
+
+  * Add missing test dependency: mocha
+  * Fix insufficient validation and sanitization of user input
+    (Closes: CVE-2020-8124)
+
+ -- Xavier Guimard <yadd@debian.org>  Tue, 01 Sep 2020 12:55:09 +0200
+
 node-url-parse (1.2.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 2c683c6..8433ca7 100644
--- a/debian/control
+++ b/debian/control
@@ -7,6 +7,7 @@ Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper (>= 9)
  , dh-buildinfo
+ , mocha <!nocheck>
  , nodejs
  , webpack
  , node-deep-eql <!nocheck>
diff --git a/debian/patches/CVE-2020-8124.diff b/debian/patches/CVE-2020-8124.diff
new file mode 100644
index 0000000..129c377
--- /dev/null
+++ b/debian/patches/CVE-2020-8124.diff
@@ -0,0 +1,93 @@
+Description: Fix CVE 2020-8124
+ Insufficient validation and sanitization of user input exists in url-parse
+ npm package version 1.4.4 and earlier may allow attacker to bypass security
+ checks.
+Author: Arnout Kazemier <info@3rd-Eden.com>
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/3ecd256f
+Bug: https://hackerone.com/reports/496293
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-09-01
+
+--- a/index.js
++++ b/index.js
+@@ -2,8 +2,20 @@
+ 
+ var required = require('requires-port')
+   , qs = require('querystringify')
++  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
+   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i
+-  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//;
++  , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
++  , left = new RegExp('^'+ whitespace +'+');
++
++/**
++ * Trim a given string.
++ *
++ * @param {String} str String to trim.
++ * @public
++ */
++function trimLeft(str) {
++  return (str || '').replace(left, '');
++}
+ 
+ /**
+  * These are the parse rules for the URL parser, it informs the parser
+@@ -94,6 +106,7 @@
+  * @api private
+  */
+ function extractProtocol(address) {
++  address = trimLeft(address);
+   var match = protocolre.exec(address);
+ 
+   return {
+@@ -149,6 +162,8 @@
+  * @api public
+  */
+ function URL(address, location, parser) {
++  address = trimLeft(address);
++
+   if (!(this instanceof URL)) {
+     return new URL(address, location, parser);
+   }
+@@ -414,6 +429,7 @@
+ //
+ URL.extractProtocol = extractProtocol;
+ URL.location = lolcation;
++URL.trimLeft = trimLeft;
+ URL.qs = qs;
+ 
+ module.exports = URL;
+--- a/test/test.js
++++ b/test/test.js
+@@ -31,6 +31,14 @@
+ 
+   describe('extractProtocol', function () {
+     it('extracts the protocol data', function () {
++      assume(parse.extractProtocol('http://example.com')).eql({
++        slashes: true,
++        protocol: 'http:',
++        rest: 'example.com'
++      });
++    });
++
++    it('extracts the protocol data for nothing', function () {
+       assume(parse.extractProtocol('')).eql({
+         slashes: false,
+         protocol: '',
+@@ -49,6 +57,15 @@
+     });
+   });
+ 
++
++  it('trimsLeft', function () {
++    assume(parse.extractProtocol(' javascript://foo')).eql({
++      slashes: true,
++      protocol: 'javascript:',
++      rest: 'foo'
++    });
++  });
++
+   it('parses the query string into an object', function () {
+     var url = 'http://google.com/?foo=bar'
+       , data = parse(url, true);
diff --git a/debian/patches/series b/debian/patches/series
index 1ae99bc..c24e259 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2018-3774.diff
+CVE-2020-8124.diff

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---
Reply to: