Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, node-fstream is vulnerable to Arbitrary File Overwrite (#931408, CVE-2019-13173). This little patch fixes the problem. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 8162572..41fb724 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-fstream (1.0.10-1+deb9u1) stretch; urgency=medium + + * Team upload + * Clobber a Link if it's in the way of a File + (Closes: #931408, CVE-2019-13173) + + -- Xavier Guimard <y...@debian.org> Wed, 28 Aug 2019 16:49:20 +0200 + node-fstream (1.0.10-1) unstable; urgency=medium * New upstream version 1.0.10 diff --git a/debian/patches/CVE-2019-13173.diff b/debian/patches/CVE-2019-13173.diff new file mode 100644 index 0000000..6adddad --- /dev/null +++ b/debian/patches/CVE-2019-13173.diff @@ -0,0 +1,20 @@ +Description: Clobber a Link if it's in the way of a File +Author: isaacs <i...@izs.me> +Origin: upstream, https://github.com/npm/fstream/commit/6a77d2f +Bug: https://www.npmjs.com/advisories/886 +Bug-Debian: https://bugs.debian.org/931408 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2019-08-28 + +--- a/lib/writer.js ++++ b/lib/writer.js +@@ -147,7 +147,7 @@ + + // if it's a type change, then we need to clobber or error. + // if it's not a type change, then let the impl take care of it. +- if (currentType !== self.type) { ++ if (currentType !== self.type || self.type === 'File' && current.nlink > 1) { + return rimraf(self._path, function (er) { + if (er) return self.error(er) + self._old = null diff --git a/debian/patches/series b/debian/patches/series index d1851b7..3e5db07 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fixtest.patch +CVE-2019-13173.diff
