Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi all, I updated node-superagent for Buster. Now I would like to propose the security fix for stretch. This fixes CVE-2017-16129 (ZIP bomb attacks). Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 0df52d2..43d031a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-superagent (0.20.0+dfsg-1+deb9u1) stretch; urgency=medium + + * Add patch to fix ZIP bomb attacks (Closes: CVE-2017-16129) + + -- Xavier Guimard <y...@debian.org> Thu, 18 Apr 2019 20:37:30 +0200 + node-superagent (0.20.0+dfsg-1) unstable; urgency=medium * Imported Upstream version 0.20.0+dfsg diff --git a/debian/patches/CVE-2017-16129.diff b/debian/patches/CVE-2017-16129.diff new file mode 100644 index 0000000..7fc56a9 --- /dev/null +++ b/debian/patches/CVE-2017-16129.diff @@ -0,0 +1,34 @@ +Description: Fix for CVE-2017-16129 +Author: Xavier Guimard <y...@debian.org> +Origin: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789 +Bug: https://security-tracker.debian.org/tracker/CVE-2017-16129 +Forwarded: https://github.com/visionmedia/superagent/commit/946e28dab08f2ab334753bf36a2fbc5110d17789 +Last-Update: 2019-04-18 + +--- a/lib/node/index.js ++++ b/lib/node/index.js +@@ -898,6 +898,24 @@ + // explicit parser + if (parser) parse = parser; + ++ if (buffer) { ++ // Protectiona against zip bombs and other nuisance ++ let responseBytesLeft = self._maxResponseSize || 200000000; ++ res.on('data', function(buf) { ++ responseBytesLeft -= buf.byteLength || buf.length; ++ if (responseBytesLeft < 0) { ++ // This will propagate through error event ++ const err = Error("Maximum response size reached"); ++ err.code = "ETOOLARGE"; ++ // Parsers aren't required to observe error event, ++ // so would incorrectly report success ++ parserHandlesEnd = false; ++ // Will emit error event ++ res.destroy(err); ++ } ++ }); ++ } ++ + // parse + if (parse) { + try { diff --git a/debian/patches/series b/debian/patches/series index c366f88..a44323a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ no_require_readable-stream.patch +CVE-2017-16129.diff
