[Pkg-javascript-devel] Bug#970173: Bug#970173: node-fetch: CVE-2020-15168

[Salvatore Bonaccorso]

Hi Xavier,

On Sun, Sep 13, 2020 at 05:29:56PM +0200, Xavier wrote:
> Le 12/09/2020 à 15:33, Salvatore Bonaccorso a écrit :
> > Source: node-fetch
> > Version: 1.7.3-2
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> > Control: found -1 1.7.3-1
> > 
> > Hi,
> > 
> > The following vulnerability was published for node-fetch.
> > 
> > CVE-2020-15168[0]:
> > | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the
> > | size option after following a redirect, which means that when a
> > | content size was over the limit, a FetchError would never get thrown
> > | and the process would end without failure. For most people, this fix
> > | will have a little or no impact. However, if you are relying on node-
> > | fetch to gate files above a size, the impact could be significant, for
> > | example: If you don't double-check the size of the data after fetch()
> > | has completed, your JS thread could get tied up doing work on a large
> > | file (DoS) and/or cost you money in computing.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2020-15168
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168
> > [1] https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
> > 
> > Regards
> > Salvatore
> 
> Hi,
> 
> the upstream patches
> (https://github.com/node-fetch/node-fetch/commit/2358a6c2 or
> https://github.com/node-fetch/node-fetch/commit/eaff0094) seem not easy
> to backport to 1.7.3 without major changes. I think we should keep this
> minor bug unfixed in buster.

Sounds sensible (and good once the new version from experimental would
move to unstable).

Regards,
Salvatore