[Pkg-javascript-devel] Bug#1110154: unblock: node-form-data/4.0.1-2

Wed Jul 30 22:07:14 BST 2025

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: node-form-data at packages.debian.org
Control: affects -1 + src:node-form-data
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package node-form-data

CVE-2025-7783 fix (with a typo in the changelog),
already accepted for bookworm-pu in #1109819.

Other changes are Standards-Version and running more tests,
the latter succeeded in unstable.

unblock node-form-data/4.0.1-2
-------------- next part --------------
diffstat for node-form-data-4.0.1 node-form-data-4.0.1

 changelog                   |   10 ++++
 clean                       |    1 
 control                     |    2 
 patches/CVE-2025-7783.patch |   94 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 tests/pkg-js/test           |   25 +++++++++++
 6 files changed, 131 insertions(+), 2 deletions(-)

diff -Nru node-form-data-4.0.1/debian/changelog node-form-data-4.0.1/debian/changelog

--- node-form-data-4.0.1/debian/changelog	2024-10-14 13:25:40.000000000 +0300
+++ node-form-data-4.0.1/debian/changelog	2025-07-24 13:45:56.000000000 +0300
@@ -1,3 +1,13 @@
+node-form-data (4.0.1-2) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.7.2
+  * Fix "Insufficiently Random Values vulnerability"
+    (Closes: #1109551, CVE-2025-778)
+  * Launch more tests
+
+ -- Yadd <yadd at debian.org>  Thu, 24 Jul 2025 12:45:56 +0200
+
 node-form-data (4.0.1-1) unstable; urgency=medium
 
   * Team upload
diff -Nru node-form-data-4.0.1/debian/clean node-form-data-4.0.1/debian/clean
--- node-form-data-4.0.1/debian/clean	1970-01-01 02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/clean	2025-07-24 12:59:09.000000000 +0300
@@ -0,0 +1 @@
+test/tmp/
diff -Nru node-form-data-4.0.1/debian/control node-form-data-4.0.1/debian/control
--- node-form-data-4.0.1/debian/control	2024-10-14 13:24:23.000000000 +0300
+++ node-form-data-4.0.1/debian/control	2025-07-24 12:40:38.000000000 +0300
@@ -11,7 +11,7 @@
  , node-combined-stream <!nocheck>
  , node-formidable <!nocheck>
  , node-mime-types <!nocheck>
-Standards-Version: 4.7.0
+Standards-Version: 4.7.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-form-data
 Vcs-Git: https://salsa.debian.org/js-team/node-form-data.git
 Homepage: https://github.com/felixge/node-form-data
diff -Nru node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch
--- node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch	1970-01-01 02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/patches/CVE-2025-7783.patch	2025-07-24 13:44:45.000000000 +0300
@@ -0,0 +1,94 @@
+Description: Switch to using `crypto` random for boundary values
+Author: Ben Shonaldmann <ben at benweissmann.com>
+Origin: upstream, https://github.com/form-data/form-data/commit/3d172308
+Bug: <upstream-bugtracker-url>
+Bug-Debian: https://bugs.debian.org/1109551
+Forwarded: not-needed
+Applied-Upstream: 4.0.4, commit:3d172308
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2025-07-24
+
+--- a/lib/form_data.js
++++ b/lib/form_data.js
+@@ -6,6 +6,7 @@
+ var parseUrl = require('url').parse;
+ var fs = require('fs');
+ var Stream = require('stream').Stream;
++var crypto = require('crypto');
+ var mime = require('mime-types');
+ var asynckit = require('asynckit');
+ var populate = require('./populate.js');
+@@ -347,12 +348,7 @@
+ FormData.prototype._generateBoundary = function() {
+   // This generates a 50 character boundary similar to those used by Firefox.
+   // They are optimized for boyer-moore parsing.
+-  var boundary = '--------------------------';
+-  for (var i = 0; i < 24; i++) {
+-    boundary += Math.floor(Math.random() * 10).toString(16);
+-  }
+-
+-  this._boundary = boundary;
++  this._boundary = '--------------------------' + crypto.randomUUID();
+ };
+ 
+ // Note: getLengthSync DOESN'T calculate streams length
+--- /dev/null
++++ b/test/integration/test-boundary-prediction.js
+@@ -0,0 +1,57 @@
++var common = require('../common');
++var assert = common.assert;
++var FormData = require(common.dir.lib + '/form_data');
++var predictV8Randomness = require('predict-v8-randomness');
++
++var initialSequence = [
++  Math.random(),
++  Math.random(),
++  Math.random(),
++  Math.random(),
++];
++var predictor = new predictV8Randomness.Predictor(initialSequence);
++
++predictor.predictNext(24).then(function (next24RandomOutputs) {
++  var predictedBoundary = next24RandomOutputs
++    .map(function (v) {
++      return Math.floor(v * 10).toString(16);
++    })
++    .join('');
++
++  var boundaryIntro = '----------------------------';
++
++  var payload =
++    'zzz\r\n' +
++    boundaryIntro +
++    predictedBoundary +
++    '\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' +
++    boundaryIntro +
++    predictedBoundary +
++    '--\r\n';
++
++  var FIELDS = {
++    my_field: {
++      value: payload,
++    },
++  };
++
++  // count total
++  var fieldsPassed = Object.keys(FIELDS).length;
++
++  // prepare form-receiving http server
++  var server = common.testFields(FIELDS, function (fields) {
++    fieldsPassed = fields;
++  });
++
++  server.listen(common.port, function () {
++    var form = new FormData();
++
++    common.actions.populateFields(form, FIELDS);
++
++    common.actions.submit(form, server);
++  });
++
++  process.on('exit', function () {
++    assert.strictEqual(fieldsPassed, 0);
++  });
++});
diff -Nru node-form-data-4.0.1/debian/patches/series node-form-data-4.0.1/debian/patches/series
--- node-form-data-4.0.1/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ node-form-data-4.0.1/debian/patches/series	2025-07-24 12:57:23.000000000 +0300
@@ -0,0 +1 @@
+CVE-2025-7783.patch
diff -Nru node-form-data-4.0.1/debian/tests/pkg-js/test node-form-data-4.0.1/debian/tests/pkg-js/test
--- node-form-data-4.0.1/debian/tests/pkg-js/test	2024-10-14 13:24:23.000000000 +0300
+++ node-form-data-4.0.1/debian/tests/pkg-js/test	2025-07-24 12:58:58.000000000 +0300
@@ -1 +1,24 @@
-NODE_PATH=debian/tests/test_modules node test/common.js
+for test in \
+ test/common.js \
+ test/static.js \
+ test/integration/test-custom-content-type.js \
+ test/integration/test-submit-multi.js \
+ test/integration/test-errors.js \
+ test/integration/test-custom-headers-object.js \
+ test/integration/test-submit-multi-nocallback.js \
+ test/integration/test-custom-headers-string.js \
+ test/integration/test-submit-https.js \
+ test/integration/test-set-boundary.js \
+ test/integration/test-ranged-filestream.js \
+ test/integration/test-return-http-request.js \
+ test/integration/test-submit-readable-stream.js \
+ test/integration/test-form-get-length-sync.js \
+ test/integration/test-submit-url-parsing.js \
+ test/integration/test-last_boundary-line_break.js \
+ test/integration/test-get-buffer.js \
+ test/integration/test-options-override.js \
+ test/integration/test-to-string.js \
+ test/integration/test-form-get-length.js
+do
+	node $test
+done
