[Pkg-javascript-commits] [node-concat-stream] 03/06: Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
Ross Gammon
ross-guest at moszumanska.debian.org
Sun May 28 17:56:33 UTC 2017
This is an automated email from the git hooks/post-receive script.
ross-guest pushed a commit to branch stretch
in repository node-concat-stream.
commit 30bfe2d9234e8a3913016327f40772dbc082e513
Author: Ross Gammon <rosco2 at ubuntu.com>
Date: Sun May 28 13:45:03 2017 +0200
Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201
Closes: #863481
---
debian/patches/series | 1 +
debian/patches/to-string_numbers.patch | 85 ++++++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
diff --git a/debian/patches/series b/debian/patches/series
index 214a486..ef86798 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
readable-stream.patch
+to-string_numbers.patch
diff --git a/debian/patches/to-string_numbers.patch b/debian/patches/to-string_numbers.patch
new file mode 100644
index 0000000..39a1051
--- /dev/null
+++ b/debian/patches/to-string_numbers.patch
@@ -0,0 +1,85 @@
+Description: to-string numbers written to the stream
+ Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This
+ possible memory disclosure vulnerability exists when a value of type number
+ is provided to the stringConcat() method and results in concatination of
+ uninitialized memory to the stream collection.
+ This is a result of unobstructed use of the Buffer constructor, whose
+ insecure default constructor increases the odds of memory leakage.
+ See https://snyk.io/vuln/npm:concat-stream:20160901 for further details.
+Origin: upstream, https://github.com/maxogden/concat-stream/
+Bug: https://github.com/maxogden/concat-stream/issues/55
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481
+Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e
+Last-Update: 2017-05-28
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/index.js b/index.js
+index d20f954..b16ad13 100644
+--- a/index.js
++++ b/index.js
+@@ -73,6 +73,10 @@ function isArrayish (arr) {
+ return /Array\]$/.test(Object.prototype.toString.call(arr))
+ }
+
++function isBufferish (p) {
++ return typeof p === 'string' || isArrayish(p) || (p && typeof p.subarray === 'function')
++}
++
+ function stringConcat (parts) {
+ var strings = []
+ var needsToString = false
+@@ -82,8 +86,10 @@ function stringConcat (parts) {
+ strings.push(p)
+ } else if (Buffer.isBuffer(p)) {
+ strings.push(p)
+- } else {
++ } else if (isBufferish(p)) {
+ strings.push(new Buffer(p))
++ } else {
++ strings.push(new Buffer(String(p)))
+ }
+ }
+ if (Buffer.isBuffer(parts[0])) {
+@@ -101,10 +107,11 @@ function bufferConcat (parts) {
+ var p = parts[i]
+ if (Buffer.isBuffer(p)) {
+ bufs.push(p)
+- } else if (typeof p === 'string' || isArrayish(p)
+- || (p && typeof p.subarray === 'function')) {
++ } else if (isBufferish(p)) {
+ bufs.push(new Buffer(p))
+- } else bufs.push(new Buffer(String(p)))
++ } else {
++ bufs.push(new Buffer(String(p)))
++ }
+ }
+ return Buffer.concat(bufs)
+ }
+diff --git a/test/string.js b/test/string.js
+index 145630c..be60998 100644
+--- a/test/string.js
++++ b/test/string.js
+@@ -58,7 +58,7 @@ test('string from buffers with multibyte characters', function (t) {
+ var snowman = new Buffer('☃')
+ for (var i = 0; i < 8; i++) {
+ strings.write(snowman.slice(0, 1))
+- strings.write(snowman.slice(1))
++ strings.write(snowman.slice(1))
+ }
+ strings.end()
+ })
+@@ -74,3 +74,14 @@ test('string infer encoding with empty string chunk', function (t) {
+ strings.write("dogs")
+ strings.end()
+ })
++
++test('to string numbers', function (t) {
++ var write = concat(function (str) {
++ t.equal(str, 'a1000')
++ t.end()
++ })
++
++ write.write('a')
++ write.write(1000)
++ write.end()
++})
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/node-concat-stream.git
More information about the Pkg-javascript-commits
mailing list