Package: node-ws Version: 7.4.2+~cs18.0.8-3 Severity: normal Tags: patch, security X-Debbugs-Cc: debian-...@lists.debian.org Control: found -1 7.4.2+~cs18.0.8-3
Dear Maintainer, The package `node-ws` in Debian bookworm is affected by CVE-2024-37890, a denial-of-service vulnerability (uncaught TypeError in websocket-server.js when handling crafted HTTP requests). See: https://security-tracker.debian.org/tracker/CVE-2024-37890 https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f I have prepared a patch that backports the upstream fix to bookworm. The fixed package is versioned as: 7.4.2+~cs18.0.8-3+deb11u1 The patch is attached as a debdiff against the current bookworm version. I have tested that the patched package no longer crashes with the provided PoC. Please consider applying this patch to stable (bookworm). Best regards, Yang Wang <yang.w...@windriver.com> -- System Information: Debian Release: 11.11 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 6.8.0-60-generic (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages node-ws depends on: ii node-agent-base 6.0.2-2 ii node-commander 6.2.1-2 ii node-debug 4.3.1+~cs4.1.5-1 ii node-read 1.0.7-2 ii node-tinycolor 0.0.1-2 ii nodejs 12.22.12~dfsg-1~deb11u4 node-ws recommends no packages. node-ws suggests no packages. -- no debconf information
diff -Nru node-ws-7.4.2+~cs18.0.8/debian/changelog node-ws-7.4.2+~cs18.0.8/debian/changelog --- node-ws-7.4.2+~cs18.0.8/debian/changelog 2021-05-26 06:26:30.000000000 +0000 +++ node-ws-7.4.2+~cs18.0.8/debian/changelog 2025-06-26 17:37:00.000000000 +0000 @@ -1,3 +1,11 @@ +node-ws (7.4.2+~cs18.0.8-3+deb11u1) bullseye-security; urgency=medium + + * Non-maintainer upload. + * Backport upstream patch for CVE-2024-37890 (DoS via uncaught exception). + - https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f + + -- Yang Wang <yang.w...@windriver.com> Thu, 26 Jun 2025 13:37:00 -0400 + node-ws (7.4.2+~cs18.0.8-2) unstable; urgency=medium * Team upload diff -Nru node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch --- node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-ws-7.4.2+~cs18.0.8/debian/patches/fix-cve-2024-37890.patch 2025-06-26 17:36:41.000000000 +0000 @@ -0,0 +1,160 @@ +Description: Backport upstream fix for CVE-2024-37890 (DoS via uncaught exception) + Backport of upstream commit 22c28763234aa75a7e1b76f5c01c181260d7917f +Author: Yang Wang <yang.w...@windriver.com> +Origin: upstream, backport +Bug: https://github.com/websockets/ws/issues/2230 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-37890 +CVE: CVE-2024-37890 +Forwarded: yes +Last-Update: 2025-06-26 +Applied-Upstream: 22c28763234aa75a7e1b76f5c01c181260d7917f + +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: node-ws-7.4.2+~cs18.0.8/lib/websocket-server.js +=================================================================== +--- node-ws-7.4.2+~cs18.0.8.orig/lib/websocket-server.js ++++ node-ws-7.4.2+~cs18.0.8/lib/websocket-server.js +@@ -185,12 +185,14 @@ class WebSocketServer extends EventEmitt + req.headers['sec-websocket-key'] !== undefined + ? req.headers['sec-websocket-key'].trim() + : false; ++ const upgrade = req.headers.upgrade; + const version = +req.headers['sec-websocket-version']; + const extensions = {}; + + if ( + req.method !== 'GET' || +- req.headers.upgrade.toLowerCase() !== 'websocket' || ++ upgrade === undefined || ++ upgrade.toLowerCase() !== 'websocket' || + !key || + !keyRegex.test(key) || + (version !== 8 && version !== 13) || +Index: node-ws-7.4.2+~cs18.0.8/lib/websocket.js +=================================================================== +--- node-ws-7.4.2+~cs18.0.8.orig/lib/websocket.js ++++ node-ws-7.4.2+~cs18.0.8/lib/websocket.js +@@ -620,6 +620,13 @@ function initAsClient(websocket, address + + req = websocket._req = null; + ++ const upgrade = res.headers.upgrade; ++ ++ if (upgrade === undefined || upgrade.toLowerCase() !== 'websocket') { ++ abortHandshake(websocket, socket, 'Invalid Upgrade header'); ++ return; ++ } ++ + const digest = createHash('sha1') + .update(key + GUID) + .digest('base64'); +Index: node-ws-7.4.2+~cs18.0.8/test/websocket-server.test.js +=================================================================== +--- node-ws-7.4.2+~cs18.0.8.orig/test/websocket-server.test.js ++++ node-ws-7.4.2+~cs18.0.8/test/websocket-server.test.js +@@ -427,6 +427,47 @@ describe('WebSocketServer', () => { + }); + + describe('Connection establishing', () => { ++ it('fails if the Upgrade header field value cannot be read', (done) => { ++ const server = http.createServer(); ++ const wss = new WebSocket.Server({ noServer: true }); ++ ++ server.maxHeadersCount = 1; ++ ++ server.on('upgrade', (req, socket, head) => { ++ assert.deepStrictEqual(req.headers, { foo: 'bar' }); ++ wss.handleUpgrade(req, socket, head, () => { ++ done(new Error('Unexpected callback invocation')); ++ }); ++ }); ++ ++ server.listen(() => { ++ const req = http.get({ ++ port: server.address().port, ++ headers: { ++ foo: 'bar', ++ bar: 'baz', ++ Connection: 'Upgrade', ++ Upgrade: 'websocket' ++ } ++ }); ++ ++ req.on('response', (res) => { ++ assert.strictEqual(res.statusCode, 400); ++ ++ const chunks = []; ++ ++ res.on('data', (chunk) => { ++ chunks.push(chunk); ++ }); ++ ++ res.on('end', () => { ++ assert.strictEqual(Buffer.concat(chunks).toString(), 'Bad Request'); ++ server.close(done); ++ }); ++ }); ++ }); ++ }); ++ + it('fails if the Sec-WebSocket-Key header is invalid (1/2)', (done) => { + const wss = new WebSocket.Server({ port: 0 }, () => { + const req = http.get({ +Index: node-ws-7.4.2+~cs18.0.8/test/websocket.test.js +=================================================================== +--- node-ws-7.4.2+~cs18.0.8.orig/test/websocket.test.js ++++ node-ws-7.4.2+~cs18.0.8/test/websocket.test.js +@@ -510,6 +510,52 @@ describe('WebSocket', () => { + beforeEach((done) => server.listen(0, done)); + afterEach((done) => server.close(done)); + ++ it('fails if the Upgrade header field value cannot be read', (done) => { ++ server.once('upgrade', (req, socket) => { ++ socket.on('end', socket.end); ++ socket.write( ++ 'HTTP/1.1 101 Switching Protocols\r\n' + ++ 'Connection: Upgrade\r\n' + ++ 'Upgrade: websocket\r\n' + ++ '\r\n' ++ ); ++ }); ++ ++ const ws = new WebSocket(`ws://localhost:${server.address().port}`); ++ ++ ws._req.maxHeadersCount = 1; ++ ++ ws.on('upgrade', (res) => { ++ assert.deepStrictEqual(res.headers, { connection: 'Upgrade' }); ++ ++ ws.on('error', (err) => { ++ assert.ok(err instanceof Error); ++ assert.strictEqual(err.message, 'Invalid Upgrade header'); ++ done(); ++ }); ++ }); ++ }); ++ ++ it('fails if the Upgrade header field value is not "websocket"', (done) => { ++ server.once('upgrade', (req, socket) => { ++ socket.on('end', socket.end); ++ socket.write( ++ 'HTTP/1.1 101 Switching Protocols\r\n' + ++ 'Connection: Upgrade\r\n' + ++ 'Upgrade: foo\r\n' + ++ '\r\n' ++ ); ++ }); ++ ++ const ws = new WebSocket(`ws://localhost:${server.address().port}`); ++ ++ ws.on('error', (err) => { ++ assert.ok(err instanceof Error); ++ assert.strictEqual(err.message, 'Invalid Upgrade header'); ++ done(); ++ }); ++ }); ++ + it('fails if the Sec-WebSocket-Accept header is invalid', (done) => { + server.once('upgrade', (req, socket) => { + socket.on('end', socket.end); diff -Nru node-ws-7.4.2+~cs18.0.8/debian/patches/series node-ws-7.4.2+~cs18.0.8/debian/patches/series --- node-ws-7.4.2+~cs18.0.8/debian/patches/series 2021-05-26 06:21:49.000000000 +0000 +++ node-ws-7.4.2+~cs18.0.8/debian/patches/series 2025-06-26 17:35:23.000000000 +0000 @@ -1 +1,2 @@ CVE-2021-32640.patch +fix-cve-2024-37890.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
