Debian Bug report logs -
#925571
node-opencv: CVE-2019-10061
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 26 Mar 2019 22:21:02 UTC
Severity: important
Tags: security, upstream
Found in version node-opencv/6.0.0+git20180416.cfc96ba0-2
Fixed in version node-opencv/6.0.0+git20180416.cfc96ba0-3
Done: Utkarsh Gupta <guptautkarsh4102@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#925571
; Package src:node-opencv
.
(Tue, 26 Mar 2019 22:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Tue, 26 Mar 2019 22:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-opencv
Version: 6.0.0+git20180416.cfc96ba0-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for node-opencv.
CVE-2019-10061[0]:
| utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js)
| prior to 6.1.0 is vulnerable to Command Injection. It does not
| validate user input allowing attackers to execute arbitrary commands.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10061
[1] https://www.npmjs.com/advisories/789
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#925571.
(Wed, 27 Mar 2019 05:54:03 GMT) (full text, mbox, link).
Message #8 received at 925571-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #925571 in node-opencv reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-opencv/commit/d1e67fde5babbec3e0195ad3205bedda82db6ae1
------------------------------------------------------------------------
CVE patch: Add commit reference
Closes: #925571
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/925571
Added tag(s) pending.
Request was from Xavier Guimard <noreply@salsa.debian.org>
to 925571-submitter@bugs.debian.org
.
(Wed, 27 Mar 2019 05:54:03 GMT) (full text, mbox, link).
Reply sent
to Utkarsh Gupta <guptautkarsh4102@gmail.com>
:
You have taken responsibility.
(Wed, 27 Mar 2019 06:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 27 Mar 2019 06:39:07 GMT) (full text, mbox, link).
Message #15 received at 925571-close@bugs.debian.org (full text, mbox, reply):
Source: node-opencv
Source-Version: 6.0.0+git20180416.cfc96ba0-3
We believe that the bug you reported is fixed in the latest version of
node-opencv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925571@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Utkarsh Gupta <guptautkarsh4102@gmail.com> (supplier of updated node-opencv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 27 Mar 2019 04:27:41 +0530
Source: node-opencv
Architecture: source
Version: 6.0.0+git20180416.cfc96ba0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Utkarsh Gupta <guptautkarsh4102@gmail.com>
Closes: 924462 925571
Changes:
node-opencv (6.0.0+git20180416.cfc96ba0-3) unstable; urgency=medium
.
* Team upload
.
[ Xavier Guimard ]
* Add dh_installexamples -Xtmp/ to make build reproductible. Thanks to
Chris Lamb (Closes: #924462)
.
[ Utkarsh Gupta ]
* Add patch to fix CVE-2019-10061 (Closes: #925571)
Checksums-Sha1:
448f68ab1012a5cd776ef4512f91ac07ed63e1cf 2268 node-opencv_6.0.0+git20180416.cfc96ba0-3.dsc
d165adf379adb89821c78fbc9805ea56ee8d66bc 6604 node-opencv_6.0.0+git20180416.cfc96ba0-3.debian.tar.xz
Checksums-Sha256:
80c41f7339d44192beb4c24950739c6406bd7d297ffede8b57657755f478e65b 2268 node-opencv_6.0.0+git20180416.cfc96ba0-3.dsc
46d079ee8b21aee25a32dc86d1a529298f8a7b9f4beb57ae50a9eb90e7693a3d 6604 node-opencv_6.0.0+git20180416.cfc96ba0-3.debian.tar.xz
Files:
bbc4614acbd79a6cf21b26a987d69788 2268 javascript optional node-opencv_6.0.0+git20180416.cfc96ba0-3.dsc
e36834ac3d89a62afccbd200de69cb43 6604 javascript optional node-opencv_6.0.0+git20180416.cfc96ba0-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlybEw8ACgkQ9tdMp8mZ
7un4Pw/9H+FOjvvdmeAghb4qQJatpoW5Z/QCnq/3yqWQvqS0J4zQ5CpcvzQORIJr
8GqBwiMSalo7HYrw6wHk0UjdlRlVnqFmgBSoovvVQOdmR6d9HYSng+J13LWG3P+v
c6F45y0QmNVDJ+QhTPl+vEDwHMQ+AOMxZ6Nc9xKb7WxT6li5O/DQ/vQP8oFIDoiN
3jlGOZn6qeChET2ghu5N8X9rp7xlBugmb0sAI75YvtTnX138gfx5KLKaAVK8JZow
ElC79luysvEJxYYO6/s4SBLVAtFlwdxLh6qKtNvUVNdPSMhUSlYFSrff4/IbG7ns
80WyBx3CabTmWzHa6+xDEH8k2zPBGSyiYSmCZO1BSPYexVUTOaXHINTlMm5Y9vDf
aJsTQkmdjp2l1e3z7nA3cMYm9dTQhAidazf7zcQUVaeUmf1vdL3CXQ8D8FI4cFgk
s4sP/7yBG4MYGqYPhfuXwFcuJvu+FvaW8JgUASehVASSyGSU8D0A5I/ZnpLRDMhm
FdhDL4wvL1nvEz1n4k+XOrivEZvhr91MN6yNunNoX3woShLPovIdDG3GVWCeeGG7
cT7cbUMVZki688NEiZuss2j/XOm/ZAhrC/westBKPo9KnZn6OQVj+SxBz+BFoDtD
Hffp8Hz+xvaCI/5jhbMSreGODHyBXiYsuqkFUevu2JwTyhCE8Z4=
=Yp1S
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 29 Apr 2019 07:31:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:09:00 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.