[Pkg-javascript-devel] Bug#1036978: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
Yadd
yadd at debian.org
Wed May 31 13:00:47 BST 2023
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-undici at packages.debian.org
Control: affects -1 + src:node-undici
[ Reason ]
node-undici is vulnerable to:
* CVE-2023-23936: "Host" HTTP header isn't protected against CLRF injection
* CVE-2023-24807: Regex Denial of Service on headers set/append
[ Impact ]
Medium security issues
[ Tests ]
Test updated, passed
[ Risks ]
Low risk, patches are trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just new little checks
Cheers,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 3a69b63..92c0de8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
+
+ * Fix security issues (Closes: #1031418):
+ - Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936)
+ - Fix potential ReDoS on Headers.set and Headers.append
+ (Closes: CVE-2023-24807)
+ * Increase httpbin.org test timeout
+
+ -- Yadd <yadd at debian.org> Wed, 31 May 2023 15:52:45 +0400
+
node-undici (5.15.0+dfsg1+~cs20.10.9.3-1) unstable; urgency=medium
* Update standards version to 4.6.2, no changes needed.
diff --git a/debian/patches/CVE-2023-23936.patch b/debian/patches/CVE-2023-23936.patch
new file mode 100644
index 0000000..e6fbb0f
--- /dev/null
+++ b/debian/patches/CVE-2023-23936.patch
@@ -0,0 +1,62 @@
+Description: Protect "Host" HTTP header from CLRF injection
+Author: Yadd <yadd at debian.org>
+Origin: upstream, https://github.com/nodejs/undici/commit/a2eff054
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:a2eff054
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-05-31
+
+--- a/lib/core/request.js
++++ b/lib/core/request.js
+@@ -299,6 +299,9 @@
+ key.length === 4 &&
+ key.toLowerCase() === 'host'
+ ) {
++ if (headerCharRegex.exec(val) !== null) {
++ throw new InvalidArgumentError(`invalid ${key} header`)
++ }
+ // Consumed by Client
+ request.host = val
+ } else if (
+--- /dev/null
++++ b/test/headers-crlf.js
+@@ -0,0 +1,37 @@
++'use strict'
++
++const { test } = require('tap')
++const { Client } = require('..')
++const { createServer } = require('http')
++const EE = require('events')
++
++test('CRLF Injection in Nodejs ?undici? via host', (t) => {
++ t.plan(1)
++
++ const server = createServer(async (req, res) => {
++ res.end()
++ })
++ t.teardown(server.close.bind(server))
++
++ server.listen(0, async () => {
++ const client = new Client(`http://localhost:${server.address().port}`)
++ t.teardown(client.close.bind(client))
++
++ const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa'
++
++ try {
++ const { body } = await client.request({
++ path: '/',
++ method: 'POST',
++ headers: {
++ 'content-type': 'application/json',
++ 'host': unsanitizedContentTypeInput
++ },
++ body: 'asd'
++ })
++ await body.dump()
++ } catch (err) {
++ t.same(err.code, 'UND_ERR_INVALID_ARG')
++ }
++ })
++})
diff --git a/debian/patches/CVE-2023-24807.patch b/debian/patches/CVE-2023-24807.patch
new file mode 100644
index 0000000..986fb16
--- /dev/null
+++ b/debian/patches/CVE-2023-24807.patch
@@ -0,0 +1,46 @@
+Description: fix potential ReDoS on Headers.set and Headers.append
+Author: Rich Trott <rtrott at gmail.com>
+Origin: upstream, https://github.com/nodejs/undici/commit/f2324e54
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:f2324e54
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-05-31
+
+--- a/lib/fetch/headers.js
++++ b/lib/fetch/headers.js
+@@ -23,10 +23,12 @@
+ // To normalize a byte sequence potentialValue, remove
+ // any leading and trailing HTTP whitespace bytes from
+ // potentialValue.
+- return potentialValue.replace(
+- /^[\r\n\t ]+|[\r\n\t ]+$/g,
+- ''
+- )
++
++ // Trimming the end with `.replace()` and a RegExp is typically subject to
++ // ReDoS. This is safer and faster.
++ let i = potentialValue.length
++ while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
++ return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
+ }
+
+ function fill (headers, object) {
+--- a/test/fetch/headers.js
++++ b/test/fetch/headers.js
+@@ -665,3 +665,14 @@
+
+ t.end()
+ })
++
++tap.test('headers that might cause a ReDoS', (t) => {
++ t.doesNotThrow(() => {
++ // This test will time out if the ReDoS attack is successful.
++ const headers = new Headers()
++ const attack = 'a' + '\t'.repeat(500_000) + '\ta'
++ headers.append('fhqwhgads', attack)
++ })
++
++ t.end()
++})
diff --git a/debian/patches/series b/debian/patches/series
index 3ee774d..ce1440a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,6 @@ fix-typescript.patch
fix-for-test-tap.patch
replace-npm-run.patch
drop-ssl-tests.patch
+CVE-2023-23936.patch
+CVE-2023-24807.patch
+update-httpbin.org-test-timeout.patch
diff --git a/debian/patches/update-httpbin.org-test-timeout.patch b/debian/patches/update-httpbin.org-test-timeout.patch
new file mode 100644
index 0000000..f7aceb6
--- /dev/null
+++ b/debian/patches/update-httpbin.org-test-timeout.patch
@@ -0,0 +1,16 @@
+Description: update httpbin.org test timeout
+Author: Yadd <yadd at debian.org>
+Forwarded: not-needed
+Last-Update: 2023-05-31
+
+--- a/test/node-fetch/main.js
++++ b/test/node-fetch/main.js
+@@ -1647,7 +1647,7 @@
+ })
+
+ it('should allow manual redirect handling', function () {
+- this.timeout(5000)
++ this.timeout(50000)
+ const url = 'https://httpbin.org/status/302'
+ const options = {
+ redirect: 'manual'
More information about the Pkg-javascript-devel
mailing list