Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: node-und...@packages.debian.org Control: affects -1 + src:node-undici
[ Reason ] node-undici is vulnerable to: * CVE-2023-23936: "Host" HTTP header isn't protected against CLRF injection * CVE-2023-24807: Regex Denial of Service on headers set/append [ Impact ] Medium security issues [ Tests ] Test updated, passed [ Risks ] Low risk, patches are trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just new little checks Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 3a69b63..92c0de8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium + + * Fix security issues (Closes: #1031418): + - Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936) + - Fix potential ReDoS on Headers.set and Headers.append + (Closes: CVE-2023-24807) + * Increase httpbin.org test timeout + + -- Yadd <y...@debian.org> Wed, 31 May 2023 15:52:45 +0400 + node-undici (5.15.0+dfsg1+~cs20.10.9.3-1) unstable; urgency=medium * Update standards version to 4.6.2, no changes needed. diff --git a/debian/patches/CVE-2023-23936.patch b/debian/patches/CVE-2023-23936.patch new file mode 100644 index 0000000..e6fbb0f --- /dev/null +++ b/debian/patches/CVE-2023-23936.patch @@ -0,0 +1,62 @@ +Description: Protect "Host" HTTP header from CLRF injection +Author: Yadd <y...@debian.org> +Origin: upstream, https://github.com/nodejs/undici/commit/a2eff054 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff +Bug-Debian: https://bugs.debian.org/1031418 +Forwarded: not-needed +Applied-Upstream: 5.19.1, commit:a2eff054 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-05-31 + +--- a/lib/core/request.js ++++ b/lib/core/request.js +@@ -299,6 +299,9 @@ + key.length === 4 && + key.toLowerCase() === 'host' + ) { ++ if (headerCharRegex.exec(val) !== null) { ++ throw new InvalidArgumentError(`invalid ${key} header`) ++ } + // Consumed by Client + request.host = val + } else if ( +--- /dev/null ++++ b/test/headers-crlf.js +@@ -0,0 +1,37 @@ ++'use strict' ++ ++const { test } = require('tap') ++const { Client } = require('..') ++const { createServer } = require('http') ++const EE = require('events') ++ ++test('CRLF Injection in Nodejs ‘undici’ via host', (t) => { ++ t.plan(1) ++ ++ const server = createServer(async (req, res) => { ++ res.end() ++ }) ++ t.teardown(server.close.bind(server)) ++ ++ server.listen(0, async () => { ++ const client = new Client(`http://localhost:${server.address().port}`) ++ t.teardown(client.close.bind(client)) ++ ++ const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa' ++ ++ try { ++ const { body } = await client.request({ ++ path: '/', ++ method: 'POST', ++ headers: { ++ 'content-type': 'application/json', ++ 'host': unsanitizedContentTypeInput ++ }, ++ body: 'asd' ++ }) ++ await body.dump() ++ } catch (err) { ++ t.same(err.code, 'UND_ERR_INVALID_ARG') ++ } ++ }) ++}) diff --git a/debian/patches/CVE-2023-24807.patch b/debian/patches/CVE-2023-24807.patch new file mode 100644 index 0000000..986fb16 --- /dev/null +++ b/debian/patches/CVE-2023-24807.patch @@ -0,0 +1,46 @@ +Description: fix potential ReDoS on Headers.set and Headers.append +Author: Rich Trott <rtr...@gmail.com> +Origin: upstream, https://github.com/nodejs/undici/commit/f2324e54 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w +Bug-Debian: https://bugs.debian.org/1031418 +Forwarded: not-needed +Applied-Upstream: 5.19.1, commit:f2324e54 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-05-31 + +--- a/lib/fetch/headers.js ++++ b/lib/fetch/headers.js +@@ -23,10 +23,12 @@ + // To normalize a byte sequence potentialValue, remove + // any leading and trailing HTTP whitespace bytes from + // potentialValue. +- return potentialValue.replace( +- /^[\r\n\t ]+|[\r\n\t ]+$/g, +- '' +- ) ++ ++ // Trimming the end with `.replace()` and a RegExp is typically subject to ++ // ReDoS. This is safer and faster. ++ let i = potentialValue.length ++ while (/[\r\n\t ]/.test(potentialValue.charAt(--i))); ++ return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '') + } + + function fill (headers, object) { +--- a/test/fetch/headers.js ++++ b/test/fetch/headers.js +@@ -665,3 +665,14 @@ + + t.end() + }) ++ ++tap.test('headers that might cause a ReDoS', (t) => { ++ t.doesNotThrow(() => { ++ // This test will time out if the ReDoS attack is successful. ++ const headers = new Headers() ++ const attack = 'a' + '\t'.repeat(500_000) + '\ta' ++ headers.append('fhqwhgads', attack) ++ }) ++ ++ t.end() ++}) diff --git a/debian/patches/series b/debian/patches/series index 3ee774d..ce1440a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,6 @@ fix-typescript.patch fix-for-test-tap.patch replace-npm-run.patch drop-ssl-tests.patch +CVE-2023-23936.patch +CVE-2023-24807.patch +update-httpbin.org-test-timeout.patch diff --git a/debian/patches/update-httpbin.org-test-timeout.patch b/debian/patches/update-httpbin.org-test-timeout.patch new file mode 100644 index 0000000..f7aceb6 --- /dev/null +++ b/debian/patches/update-httpbin.org-test-timeout.patch @@ -0,0 +1,16 @@ +Description: update httpbin.org test timeout +Author: Yadd <y...@debian.org> +Forwarded: not-needed +Last-Update: 2023-05-31 + +--- a/test/node-fetch/main.js ++++ b/test/node-fetch/main.js +@@ -1647,7 +1647,7 @@ + }) + + it('should allow manual redirect handling', function () { +- this.timeout(5000) ++ this.timeout(50000) + const url = 'https://httpbin.org/status/302' + const options = { + redirect: 'manual'
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
