fix(node-on-headers): CVE-2025-7339

debian/changelog

@@ -1,4 +1,15 @@
-node-on-headers (1.0.2-2) unstable; urgency=medium
+node-on-headers (1.0.2-2deepin1) unstable; urgency=medium
+
+  * fix: CVE-2025-7339 - fix array handling in setHeadersFromArray
+    - A bug in on-headers versions <1.1.0 may result in response headers
+      being inadvertently modified when an array is passed to
+      response.writeHead()
+    - This fix properly handles both 1D and 2D header arrays
+    - Includes upstream test coverage for 1D flat arrays and malformed arrays
+    - Upstream: https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867
+
+ -- deepin-ci-robot <packages@deepin.org>  Tue, 06 May 2026 17:45:00 +0800
+
 
   [ Utkarsh Gupta ]
   * Add myself as an uploader

debian/patches/CVE-2025-7339.patch

@@ -0,0 +1,112 @@
+From c6e384908c9c6127d18831d16ab0bd96e1231867 Mon Sep 17 00:00:00 2001
+From: ctcpip <ctcpip@users.noreply.github.com>
+Date: Fri, 20 Jun 2025 16:12:55 -0500
+Subject: fix array handling in setHeadersFromArray
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2025-7339
+
+Fix CVE-2025-7339: A bug in on-headers versions <1.1.0 may result in
+response headers being inadvertently modified when an array is passed
+to response.writeHead().
+
+This fix properly handles both 1D and 2D header arrays, and adds
+comprehensive test coverage for the new behavior.
+
+Upstream: https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867
+
+---
+diff --git a/index.js b/index.js
+index 7db6375..4baca72 100644
+--- a/index.js
++++ b/index.js
+@@ -74,8 +74,20 @@ function onHeaders (res, listener) {
+  */
+
+ function setHeadersFromArray (res, headers) {
+-  for (var i = 0; i < headers.length; i++) {
+-    res.setHeader(headers[i][0], headers[i][1])
++  if (headers.length && Array.isArray(headers[0])) {
++    // 2D
++    for (var i = 0; i < headers.length; i++) {
++      res.setHeader(headers[i][0], headers[i][1])
++    }
++  } else {
++    if (headers.length % 2 !== 0) {
++      throw new TypeError('headers array is malformed')
++    }
++
++    // 1D
++    for (var j = 0; j < headers.length; j += 2) {
++      res.setHeader(headers[j], headers[j + 1])
++    }
+   }
+ }
+
+diff --git a/test/test.js b/test/test.js
+index b45f4f8..19ec554 100644
+--- a/test/test.js
++++ b/test/test.js
+@@ -278,6 +278,64 @@ describe('onHeaders(res, listener)', function () {
+         .expect(201, done)
+     })
+   })
++
++  describe('writeHead(status, flat arr)', function () {
++    it('should be available in listener', function (done) {
++      var server = createServer(listener, handler)
++
++      function handler (req, res) {
++        res.writeHead(201, ['X-Outgoing', 'test'])
++      }
++
++      function listener (req, res) {
++        this.setHeader('X-Status', this.statusCode)
++        this.setHeader('X-Outgoing-Echo', this.getHeader('X-Outgoing'))
++      }
++
++      request(server)
++        .get('/')
++        .expect('X-Status', '201')
++        .expect('X-Outgoing-Echo', 'test')
++        .expect(201, done)
++    })
++  })
++
++  describe('writeHead(status, invalid flat arr)', function () {
++    it('should throw on malformed array', function (done) {
++      var server = createServer(listener, handler)
++
++      function handler (req, res) {
++        assert.throws(function () {
++          res.writeHead(201, ['foo', 'bar', 'baz'])
++        },
++        TypeError)
++      }
++
++      function listener (req, res) {
++      }
++
++      // gets a 200 here because we caught the error via assert.throws
++      request(server)
++        .get('/')
++        .expect(200, done)
++    })
++
++    it('should return 500 on malformed array', function (done) {
++      var server = createServer(listener, handler)
++
++      function handler (req, res) {
++        res.writeHead(201, ['foo', 'bar', 'baz'])
++        res.end('no soup for you!')
++      }
++
++      function listener (req, res) {
++      }
++
++      request(server)
++        .get('/')
++        .expect(500, done)
++    })
++  })
+ })
+
+ function createServer (listener, handler) {

debian/patches/series

@@ -0,0 +1 @@
+CVE-2025-7339.patch