Version in base suite: 3.1.13+~3.1.11-2

Base version: node-mongodb_3.1.13+~3.1.11-2
Target version: node-mongodb_3.1.13+~3.1.11-2+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-mongodb/node-mongodb_3.1.13+~3.1.11-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-mongodb/node-mongodb_3.1.13+~3.1.11-2+deb10u1.dsc

 changelog                     |    7 ++++
 patches/fix-json-parsing.diff |   73 ++++++++++++++++++++++++++++++++++++++++++
 patches/series                |    1 
 3 files changed, 81 insertions(+)

diff -Nru node-mongodb-3.1.13+~3.1.11/debian/changelog node-mongodb-3.1.13+~3.1.11/debian/changelog
--- node-mongodb-3.1.13+~3.1.11/debian/changelog	2019-02-27 05:31:17.000000000 +0000
+++ node-mongodb-3.1.13+~3.1.11/debian/changelog	2020-04-26 19:41:23.000000000 +0000
@@ -1,3 +1,10 @@
+node-mongodb (3.1.13+~3.1.11-2+deb10u1) buster; urgency=medium
+
+  * Throw if invalid _bsontype is detected
+    (Closes: CVE-2019-2391, CVE-2020-7610)
+
+ -- Xavier Guimard <yadd@debian.org>  Sun, 26 Apr 2020 21:41:23 +0200
+
 node-mongodb (3.1.13+~3.1.11-2) unstable; urgency=medium
 
   * Remove bson tests (Closes: #923353)
diff -Nru node-mongodb-3.1.13+~3.1.11/debian/patches/fix-json-parsing.diff node-mongodb-3.1.13+~3.1.11/debian/patches/fix-json-parsing.diff
--- node-mongodb-3.1.13+~3.1.11/debian/patches/fix-json-parsing.diff	1970-01-01 00:00:00.000000000 +0000
+++ node-mongodb-3.1.13+~3.1.11/debian/patches/fix-json-parsing.diff	2020-04-26 19:41:23.000000000 +0000
@@ -0,0 +1,73 @@
+Description: throw if invalid _bsontype is detected 
+ Closes: CVE-2019-2391, CVE-2020-7610
+Author: Matt Broadstone
+Bug: https://snyk.io/vuln/SNYK-JS-BSON-561052
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd@debian.org>
+Last-Update: 2020-04-26
+
+--- a/bson/browser_build/bson.js
++++ b/bson/browser_build/bson.js
+@@ -17074,6 +17074,8 @@
+ 	        index = serializeInt32(buffer, key, value, index, true);
+ 	      } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ 	        index = serializeMinMax(buffer, key, value, index, true);
++	      } else if (typeof value['_bsontype'] !== 'undefined') {
++	        throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ 	      }
+ 	    }
+ 	  } else if (object instanceof Map) {
+@@ -17152,6 +17154,8 @@
+ 	        index = serializeInt32(buffer, key, value, index);
+ 	      } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ 	        index = serializeMinMax(buffer, key, value, index);
++	      } else if (typeof value['_bsontype'] !== 'undefined') {
++	        throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ 	      }
+ 	    }
+ 	  } else {
+@@ -17233,6 +17237,8 @@
+ 	        index = serializeInt32(buffer, key, value, index);
+ 	      } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+ 	        index = serializeMinMax(buffer, key, value, index);
++	      } else if (typeof value['_bsontype'] !== 'undefined') {
++	        throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+ 	      }
+ 	    }
+ 	  }
+@@ -17745,4 +17751,4 @@
+ /***/ })
+ /******/ ])
+ });
+-;
+\ No newline at end of file
++;
+--- a/bson/lib/bson/parser/serializer.js
++++ b/bson/lib/bson/parser/serializer.js
+@@ -778,6 +778,8 @@
+         index = serializeInt32(buffer, key, value, index, true);
+       } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+         index = serializeMinMax(buffer, key, value, index, true);
++      } else if (typeof value['_bsontype'] !== 'undefined') {
++        throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+       }
+     }
+   } else if (object instanceof Map) {
+@@ -876,6 +878,8 @@
+         index = serializeInt32(buffer, key, value, index);
+       } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+         index = serializeMinMax(buffer, key, value, index);
++      } else if (typeof value['_bsontype'] !== 'undefined') {
++        throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+       }
+     }
+   } else {
+@@ -978,6 +982,8 @@
+         index = serializeInt32(buffer, key, value, index);
+       } else if (value['_bsontype'] === 'MinKey' || value['_bsontype'] === 'MaxKey') {
+         index = serializeMinMax(buffer, key, value, index);
++      } else if (typeof value['_bsontype'] !== 'undefined') {
++        throw new TypeError('Unrecognized or invalid _bsontype: ' + value['_bsontype']);
+       }
+     }
+   }
diff -Nru node-mongodb-3.1.13+~3.1.11/debian/patches/series node-mongodb-3.1.13+~3.1.11/debian/patches/series
--- node-mongodb-3.1.13+~3.1.11/debian/patches/series	2019-02-27 05:27:53.000000000 +0000
+++ node-mongodb-3.1.13+~3.1.11/debian/patches/series	2020-04-26 19:41:23.000000000 +0000
@@ -1,2 +1,3 @@
 remove-privacy-leak.patch
 remove-dependency-versions.patch
+fix-json-parsing.diff