Version in base suite: 5.0.0+ds1-1+deb11u1

Base version: node-sqlite3_5.0.0+ds1-1+deb11u1
Target version: node-sqlite3_5.0.0+ds1-1+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-sqlite3/node-sqlite3_5.0.0+ds1-1+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-sqlite3/node-sqlite3_5.0.0+ds1-1+deb11u2.dsc

 changelog                    |    7 +++++
 patches/CVE-2022-43441.patch |   53 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 61 insertions(+)

diff -Nru node-sqlite3-5.0.0+ds1/debian/changelog node-sqlite3-5.0.0+ds1/debian/changelog
--- node-sqlite3-5.0.0+ds1/debian/changelog	2022-05-01 15:33:33.000000000 +0000
+++ node-sqlite3-5.0.0+ds1/debian/changelog	2023-03-14 03:15:15.000000000 +0000
@@ -1,3 +1,10 @@
+node-sqlite3 (5.0.0+ds1-1+deb11u2) bullseye-security; urgency=medium
+
+  * Team upload
+  * Fix code execution vulnerability (Closes CVE-2022-43441)
+
+ -- Yadd <yadd@debian.org>  Tue, 14 Mar 2023 07:15:15 +0400
+
 node-sqlite3 (5.0.0+ds1-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff -Nru node-sqlite3-5.0.0+ds1/debian/patches/CVE-2022-43441.patch node-sqlite3-5.0.0+ds1/debian/patches/CVE-2022-43441.patch
--- node-sqlite3-5.0.0+ds1/debian/patches/CVE-2022-43441.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-sqlite3-5.0.0+ds1/debian/patches/CVE-2022-43441.patch	2023-03-14 03:15:15.000000000 +0000
@@ -0,0 +1,53 @@
+Description: Fixed code execution vulnerability due to Object coercion
+ - when you call `ToString()` on `Napi::Value`, it calls
+   `napi_coerce_to_string` underneath, which has the ability to run
+   arbitrary JS code if the passed in value is a crafted object
+ - both remote code execution or denial-of-service are possible via
+   this vulnerability
+ - `toString()` on an Object returns `[object Object]` so instead of
+   calling the function, we're going to hardcode it to prevent this
+   issue
+ .
+ Credits: Dave McDaniel of Cisco Talos
+Author: Daniel Lockyer <hi@daniellockyer.com>
+Origin: upstream, https://github.com/TryGhost/node-sqlite3/commit/edb1934d
+Bug: https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-jqv5-7xpx-qj74
+Forwarded: not-needed
+Applied-Upstream: version 5.1.5, commit edb1934d
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2023-03-14
+
+--- a/src/statement.cc
++++ b/src/statement.cc
+@@ -210,7 +210,7 @@
+         return new Values::Float(pos, source.ToNumber().DoubleValue());
+     }
+     else if (source.IsObject()) {
+-        Napi::String napiVal = source.ToString();
++        Napi::String napiVal = Napi::String::New(source.Env(), "[object Object]");
+         // Check whether toString returned a value that is not undefined.
+         if(napiVal.Type() == 0) {
+             return NULL;
+--- a/test/other_objects.test.js
++++ b/test/other_objects.test.js
+@@ -95,4 +95,20 @@
+         });
+     });
+ 
++    it('should ignore faulty toString in array', function(done) {
++        const faulty = [[{toString: null}], 1];
++        db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) {
++            assert.equal(err, null);
++            done();
++        });
++    });
++
++    it('should ignore faulty toString set to function', function(done) {
++        const faulty = [[{toString: function () {console.log('oh no');}}], 1];
++        db.all('SELECT * FROM txt_table WHERE txt = ? LIMIT ?', faulty, function (err) {
++            assert.equal(err, undefined);
++            done();
++        });
++    });
++
+ });
diff -Nru node-sqlite3-5.0.0+ds1/debian/patches/series node-sqlite3-5.0.0+ds1/debian/patches/series
--- node-sqlite3-5.0.0+ds1/debian/patches/series	2022-05-01 15:33:33.000000000 +0000
+++ node-sqlite3-5.0.0+ds1/debian/patches/series	2023-03-14 03:15:15.000000000 +0000
@@ -1,2 +1,3 @@
 disable-hard-test.patch
 CVE-2022-21227.patch
+CVE-2022-43441.patch