Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: car...@debian.org,y...@debian.org
Hi Release team, Please unblock package node-nodemailer Yadd fixed #990485, CVE-2021-23400 for node-nodemailer in unstable. Can you please unblock the package (it would not need to, if I understand correctly, not beeing a key package and having autopkgtests passing) still to make sure it lands in testing and so in bullseeye before the release? Regards, Salvatore
diff -Nru node-nodemailer-6.4.17/debian/changelog node-nodemailer-6.4.17/debian/changelog --- node-nodemailer-6.4.17/debian/changelog 2021-01-21 06:26:01.000000000 +0100 +++ node-nodemailer-6.4.17/debian/changelog 2021-06-30 14:59:47.000000000 +0200 @@ -1,3 +1,11 @@ +node-nodemailer (6.4.17-3) unstable; urgency=medium + + * Fix GitHub tags regex + * Fix header injection vulnerability in address object + (Closes: #990485, CVE-2021-23400) + + -- Yadd <y...@debian.org> Wed, 30 Jun 2021 14:59:47 +0200 + node-nodemailer (6.4.17-2) unstable; urgency=medium * Ignore cookie test (Closes: #980702) diff -Nru node-nodemailer-6.4.17/debian/control node-nodemailer-6.4.17/debian/control --- node-nodemailer-6.4.17/debian/control 2021-01-21 06:09:40.000000000 +0100 +++ node-nodemailer-6.4.17/debian/control 2021-04-15 20:35:08.000000000 +0200 @@ -2,7 +2,7 @@ Section: javascript Priority: optional Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> -Uploaders: Xavier Guimard <y...@debian.org> +Uploaders: Yadd <y...@debian.org> Testsuite: autopkgtest-pkg-nodejs Build-Depends: debhelper-compat (= 13) diff -Nru node-nodemailer-6.4.17/debian/copyright node-nodemailer-6.4.17/debian/copyright --- node-nodemailer-6.4.17/debian/copyright 2021-01-21 06:09:40.000000000 +0100 +++ node-nodemailer-6.4.17/debian/copyright 2021-04-15 20:35:08.000000000 +0200 @@ -8,7 +8,7 @@ License: Expat Files: debian/* -Copyright: 2019-2020, Xavier Guimard <y...@debian.org> +Copyright: 2019-2020, Yadd <y...@debian.org> License: Expat Files: debian/tests/test_modules/base32.js/* diff -Nru node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch --- node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch 1970-01-01 01:00:00.000000000 +0100 +++ node-nodemailer-6.4.17/debian/patches/CVE-2021-23400.patch 2021-06-30 14:58:51.000000000 +0200 @@ -0,0 +1,80 @@ +Description: fix header injection vulnerability in address object +Author: Andris Reinman <and...@kreata.ee> +Origin: upstream, https://github.com/nodemailer/nodemailer/commit/7e02648c +Bug: https://github.com/nodemailer/nodemailer/issues/1289 +Bug-Debian: https://bugs.debian.org/990485 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-06-30 + +--- a/lib/mime-node/index.js ++++ b/lib/mime-node/index.js +@@ -1130,9 +1130,9 @@ + address.address = this._normalizeAddress(address.address); + + if (!address.name) { +- values.push(address.address); ++ values.push(address.address.indexOf(' ') >= 0 ? `<${address.address}>` : `${address.address}`); + } else if (address.name) { +- values.push(this._encodeAddressName(address.name) + ' <' + address.address + '>'); ++ values.push(`${this._encodeAddressName(address.name)} <${address.address}>`); + } + + if (address.address) { +@@ -1141,9 +1141,8 @@ + } + } + } else if (address.group) { +- values.push( +- this._encodeAddressName(address.name) + ':' + (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim() + ';' +- ); ++ let groupListAddresses = (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim(); ++ values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`); + } + }); + +@@ -1157,13 +1156,17 @@ + * @return {String} address string + */ + _normalizeAddress(address) { +- address = (address || '').toString().trim(); ++ address = (address || '') ++ .toString() ++ .replace(/[\x00-\x1F<>]+/g, ' ') // remove unallowed characters ++ .trim(); + + let lastAt = address.lastIndexOf('@'); + if (lastAt < 0) { + // Bare username + return address; + } ++ + let user = address.substr(0, lastAt); + let domain = address.substr(lastAt + 1); + +@@ -1172,7 +1175,24 @@ + // 'jõgeva.ee' will be converted to 'xn--jgeva-dua.ee' + // non-unicode domains are left as is + +- return user + '@' + punycode.toASCII(domain.toLowerCase()); ++ let encodedDomain; ++ ++ try { ++ encodedDomain = punycode.toASCII(domain.toLowerCase()); ++ } catch (err) { ++ // keep as is? ++ } ++ ++ if (user.indexOf(' ') >= 0) { ++ if (user.charAt(0) !== '"') { ++ user = '"' + user; ++ } ++ if (user.substr(-1) !== '"') { ++ user = user + '"'; ++ } ++ } ++ ++ return `${user}@${encodedDomain}`; + } + + /** diff -Nru node-nodemailer-6.4.17/debian/patches/series node-nodemailer-6.4.17/debian/patches/series --- node-nodemailer-6.4.17/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ node-nodemailer-6.4.17/debian/patches/series 2021-06-30 14:56:41.000000000 +0200 @@ -0,0 +1 @@ +CVE-2021-23400.patch diff -Nru node-nodemailer-6.4.17/debian/watch node-nodemailer-6.4.17/debian/watch --- node-nodemailer-6.4.17/debian/watch 2019-10-12 09:57:06.000000000 +0200 +++ node-nodemailer-6.4.17/debian/watch 2021-04-15 20:35:08.000000000 +0200 @@ -2,4 +2,4 @@ opts=\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-nodemailer-$1.tar.gz/ \ - https://github.com/nodemailer/nodemailer/releases .*/archive/v?([\d\.]+).tar.gz + https://github.com/nodemailer/nodemailer/releases .*/archive/.*/v?([\d\.]+).tar.gz
