Here is the missing debdiff
diff --git a/debian/changelog b/debian/changelog index d8d3387..20f5a00 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-ws (1.1.0+ds1.e6ddaae4-5+deb10u1) buster; urgency=medium + + * Team upload + * Fix ReDoS vulnerability (Closes: CVE-2021-32640) + + -- Yadd <y...@debian.org> Wed, 26 May 2021 12:33:11 +0200 + node-ws (1.1.0+ds1.e6ddaae4-5) unstable; urgency=medium * Add upstream/metadata diff --git a/debian/patches/CVE-2021-32640.patch b/debian/patches/CVE-2021-32640.patch new file mode 100644 index 0000000..fd4c9dc --- /dev/null +++ b/debian/patches/CVE-2021-32640.patch @@ -0,0 +1,49 @@ +Description: Fix ReDoS vulnerability + A specially crafted value of the `Sec-Websocket-Protocol` header could + be used to significantly slow down a ws server. + . + PoC and fix were sent privately by Robert McLaughlin from University of + California, Santa Barbara. +Author: Luigi Pinca <luigipi...@gmail.com> +Origin: upstream, https://github.com/websockets/ws/commit/00c425e +Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-05-26 + +--- a/lib/WebSocketServer.js ++++ b/lib/WebSocketServer.js +@@ -289,7 +289,7 @@ + var completeHybiUpgrade1 = function() { + // choose from the sub-protocols + if (typeof self.options.handleProtocols == 'function') { +- var protList = (protocols || "").split(/, */); ++ var protList = (protocols || "").split(',').map(trim); + var callbackCalled = false; + var res = self.options.handleProtocols(protList, function(result, protocol) { + callbackCalled = true; +@@ -303,7 +303,7 @@ + return; + } else { + if (typeof protocols !== 'undefined') { +- completeHybiUpgrade2(protocols.split(/, */)[0]); ++ completeHybiUpgrade2(protocols.split(',').map(trim)[0]); + } + else { + completeHybiUpgrade2(); +@@ -552,3 +552,15 @@ + try { socket.destroy(); } catch (e) {} + } + } ++ ++/** ++ * Remove whitespace characters from both ends of a string. ++ * ++ * @param {String} str The string ++ * @return {String} A new string representing `str` stripped of whitespace ++ * characters from both its beginning and end ++ * @private ++ */ ++function trim(str) { ++ return str.trim(); ++} diff --git a/debian/patches/series b/debian/patches/series index 0556eb7..e5cc10a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ disable-debian-failing-tests fix-failing-tests increase-test-timeout node-ads-120.diff +CVE-2021-32640.patch