Bug#1011331: bullseye-pu: package node-raw-body/2.4.1-2+deb11u1

Fri, 20 May 2022 00:51:17 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: michael.lesci...@uhn.ca, secur...@debian.org

[ Reason ]
node-raw-body embeds a patch that creates a Denial-of-Service
vulnerability into node-express.

[ Impact ]
Security issue, a simple request can crash any express application

[ Tests ]
I added a test that proves that bug is fixed: it fails with
node-raw-body 2.4.1-2 and succeeds with 2.4.1-2+deb11u1

[ Risks ]
No risk, Debian package is now exactly what upstream wrote.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Drop patch which replaced node-iconv-lite by node-iconv.

[ Other info ]
Thanks to Michael Lescisin for the report and the fix.

diff --git a/debian/changelog b/debian/changelog
index 1aee9e3..1934161 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-raw-body (2.4.1-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Drop use-iconv-not-lite.patch, fixes node-express potential DoS
+
+ -- Yadd <y...@debian.org>  Fri, 20 May 2022 09:40:23 +0200
+
 node-raw-body (2.4.1-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 1f6af0c..ee4fab3 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Build-Depends:
  , mocha (>= 4) <!nocheck>
  , node-bytes (>= 3.0.0) <!nocheck>
  , node-http-errors <!nocheck>
- , node-iconv <!nocheck>
+ , node-iconv-lite <!nocheck>
  , node-unpipe <!nocheck>
  , node-readable-stream <!nocheck>
  , node-safe-buffer <!nocheck>
@@ -27,7 +27,7 @@ Depends:
  , nodejs
  , node-bytes (>= 3.0.0)
  , node-http-errors
- , node-iconv
+ , node-iconv-lite
  , node-unpipe
 Provides: nodetypes-raw-body (= ${source:Version})
 Description: Request body length validation supporting streams - Node.js
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index fd1b019..0000000
--- a/debian/patches/series
+++ /dev/null
@@ -1 +0,0 @@
-use-iconv-not-lite.patch
diff --git a/debian/patches/use-iconv-not-lite.patch 
b/debian/patches/use-iconv-not-lite.patch
deleted file mode 100644
index 121fe49..0000000
--- a/debian/patches/use-iconv-not-lite.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-Description: use iconv, not iconv-lite
-Forwarded: not-needed, unless raw-body could be made compatible with both 
iconv and iconv-lite
-Author: Jérémy Lal <kapo...@melix.org>
-Reviewed-By: Xavier Guimard <y...@debian.org>
-Last-Update: 2020-01-29
-
---- a/index.js
-+++ b/index.js
-@@ -14,7 +14,7 @@
- 
- var bytes = require('bytes')
- var createError = require('http-errors')
--var iconv = require('iconv-lite')
-+var iconv = require('iconv').Iconv
- var unpipe = require('unpipe')
- 
- /**
-@@ -29,7 +29,7 @@
-  * @private
-  */
- 
--var ICONV_ENCODING_MESSAGE_REGEXP = /^Encoding not recognized: /
-+var ICONV_ENCODING_MESSAGE_REGEXP = /^(?:Encoding not recognized: |Conversion 
from \S+ to utf\-8 is not supported)/i
- 
- /**
-  * Get the decoder for a given encoding.
-@@ -42,7 +42,7 @@
-   if (!encoding) return null
- 
-   try {
--    return iconv.getDecoder(encoding)
-+    return new iconv(encoding,'utf-8')
-   } catch (e) {
-     // error getting decoder
-     if (!ICONV_ENCODING_MESSAGE_REGEXP.test(e.message)) throw e
-@@ -249,7 +249,7 @@
-         type: 'entity.too.large'
-       }))
-     } else if (decoder) {
--      buffer += decoder.write(chunk)
-+      buffer += decoder.convert(chunk)
-     } else {
-       buffer.push(chunk)
-     }
-@@ -268,7 +268,7 @@
-       }))
-     } else {
-       var string = decoder
--        ? buffer + (decoder.end() || '')
-+        ? buffer
-         : Buffer.concat(buffer)
-       done(null, string)
-     }
---- a/package.json
-+++ b/package.json
-@@ -12,7 +12,7 @@
-   "dependencies": {
-     "bytes": "3.1.0",
-     "http-errors": "1.7.3",
--    "iconv-lite": "0.4.24",
-+    "iconv": ">= 2",
-     "unpipe": "1.0.0"
-   },
-   "devDependencies": {
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..6c6f7c2
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
+Tests: express-dos
+Depends: @, node-express, curl
+Restrictions: allow-stderr
diff --git a/debian/tests/express-dos b/debian/tests/express-dos
new file mode 100755
index 0000000..e27e51f
--- /dev/null
+++ b/debian/tests/express-dos
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -e
+
+node debian/tests/express-dos.js &
+PID=$!
+sleep 1
+HEADERS=`mktemp`
+
+curl --data-raw `perl -le 'print "[".chr(128)."]"'` -D $HEADERS -H 
'Content-Type: application/json' http://localhost:56056/test
+curl -d name=val http://localhost:56056/test
+
+grep 400 $HEADERS
+
+CODE=0
+wait $PID || CODE=$?
+
+echo "express app exited with code $CODE"
+exit $CODE
diff --git a/debian/tests/express-dos.js b/debian/tests/express-dos.js
new file mode 100644
index 0000000..b6a3f19
--- /dev/null
+++ b/debian/tests/express-dos.js
@@ -0,0 +1,13 @@
+const express = require('express');
+const app = express();
+var server;
+
+app.use(express.json());
+
+app.post('/test', (req, res) => {
+  console.log(req.body);
+  res.send("OK\n");
+  server.close();
+});
+
+server = app.listen(56056);

Reply via email to