Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: node-form-d...@packages.debian.org, y...@debian.org Control: affects -1 + src:node-form-data User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-form-data is vulnerable to an insufficiently random values vulnerability (#1109551, CVE-2025-7783) [ Impact ] Low level security issue [ Tests ] Test updated inside the patch [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - Replace the use of "Math.random" by builtin "crypto" module - Launch more tests during build/autopkgtest Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 6f6f3d7..bf5e7c8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +node-form-data (4.0.1-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix "Insufficiently Random Values vulnerability" + (Closes: #1109551, CVE-2025-778) + * Launch more tests + + -- Yadd <y...@debian.org> Thu, 24 Jul 2025 12:50:50 +0200 + node-form-data (4.0.1-1) unstable; urgency=medium * Team upload diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..e72f68d --- /dev/null +++ b/debian/clean @@ -0,0 +1 @@ +test/tmp/ diff --git a/debian/patches/CVE-2025-7783.patch b/debian/patches/CVE-2025-7783.patch new file mode 100644 index 0000000..a8dc92b --- /dev/null +++ b/debian/patches/CVE-2025-7783.patch @@ -0,0 +1,94 @@ +Description: Switch to using `crypto` random for boundary values +Author: Ben Shonaldmann <b...@benweissmann.com> +Origin: upstream, https://github.com/form-data/form-data/commit/3d172308 +Bug: <upstream-bugtracker-url> +Bug-Debian: https://bugs.debian.org/1109551 +Forwarded: not-needed +Applied-Upstream: 4.0.4, commit:3d172308 +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2025-07-24 + +--- a/lib/form_data.js ++++ b/lib/form_data.js +@@ -6,6 +6,7 @@ + var parseUrl = require('url').parse; + var fs = require('fs'); + var Stream = require('stream').Stream; ++var crypto = require('crypto'); + var mime = require('mime-types'); + var asynckit = require('asynckit'); + var populate = require('./populate.js'); +@@ -347,12 +348,7 @@ + FormData.prototype._generateBoundary = function() { + // This generates a 50 character boundary similar to those used by Firefox. + // They are optimized for boyer-moore parsing. +- var boundary = '--------------------------'; +- for (var i = 0; i < 24; i++) { +- boundary += Math.floor(Math.random() * 10).toString(16); +- } +- +- this._boundary = boundary; ++ this._boundary = '--------------------------' + crypto.randomUUID(); + }; + + // Note: getLengthSync DOESN'T calculate streams length +--- /dev/null ++++ b/test/integration/test-boundary-prediction.js +@@ -0,0 +1,57 @@ ++var common = require('../common'); ++var assert = common.assert; ++var FormData = require(common.dir.lib + '/form_data'); ++var predictV8Randomness = require('predict-v8-randomness'); ++ ++var initialSequence = [ ++ Math.random(), ++ Math.random(), ++ Math.random(), ++ Math.random(), ++]; ++var predictor = new predictV8Randomness.Predictor(initialSequence); ++ ++predictor.predictNext(24).then(function (next24RandomOutputs) { ++ var predictedBoundary = next24RandomOutputs ++ .map(function (v) { ++ return Math.floor(v * 10).toString(16); ++ }) ++ .join(''); ++ ++ var boundaryIntro = '----------------------------'; ++ ++ var payload = ++ 'zzz\r\n' + ++ boundaryIntro + ++ predictedBoundary + ++ '\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' + ++ boundaryIntro + ++ predictedBoundary + ++ '--\r\n'; ++ ++ var FIELDS = { ++ my_field: { ++ value: payload, ++ }, ++ }; ++ ++ // count total ++ var fieldsPassed = Object.keys(FIELDS).length; ++ ++ // prepare form-receiving http server ++ var server = common.testFields(FIELDS, function (fields) { ++ fieldsPassed = fields; ++ }); ++ ++ server.listen(common.port, function () { ++ var form = new FormData(); ++ ++ common.actions.populateFields(form, FIELDS); ++ ++ common.actions.submit(form, server); ++ }); ++ ++ process.on('exit', function () { ++ assert.strictEqual(fieldsPassed, 0); ++ }); ++}); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..78849cc --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2025-7783.patch diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test index d6ccbd1..03c4342 100644 --- a/debian/tests/pkg-js/test +++ b/debian/tests/pkg-js/test @@ -1 +1,24 @@ -NODE_PATH=debian/tests/test_modules node test/common.js +for test in \ + test/common.js \ + test/static.js \ + test/integration/test-custom-content-type.js \ + test/integration/test-submit-multi.js \ + test/integration/test-errors.js \ + test/integration/test-custom-headers-object.js \ + test/integration/test-submit-multi-nocallback.js \ + test/integration/test-custom-headers-string.js \ + test/integration/test-submit-https.js \ + test/integration/test-set-boundary.js \ + test/integration/test-ranged-filestream.js \ + test/integration/test-return-http-request.js \ + test/integration/test-submit-readable-stream.js \ + test/integration/test-form-get-length-sync.js \ + test/integration/test-submit-url-parsing.js \ + test/integration/test-last_boundary-line_break.js \ + test/integration/test-get-buffer.js \ + test/integration/test-options-override.js \ + test/integration/test-to-string.js \ + test/integration/test-form-get-length.js +do + node $test +done
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
