Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Another regex denial of service [ Impact ] Medium vulnerability [ Tests ] test passed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Use trim() instead of a regex Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 88ae229..d73d015 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-axios (0.17.1+dfsg-2+deb10u1) buster; urgency=medium + + * Team upload + * Fix reDoS (Closes: CVE-2021-3749) + + -- Yadd <y...@debian.org> Sat, 18 Sep 2021 07:31:53 +0200 + node-axios (0.17.1+dfsg-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-3749.patch b/debian/patches/CVE-2021-3749.patch new file mode 100644 index 0000000..802174f --- /dev/null +++ b/debian/patches/CVE-2021-3749.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: ready-research <72916209+ready-resea...@users.noreply.github.com> +Origin: upstream, https://github.com/axios/axios/commit/eef56014 +Bug: https://github.com/axios/axios/pull/3980 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-09-18 + +--- a/lib/utils.js ++++ b/lib/utils.js +@@ -162,7 +162,7 @@ + * @returns {String} The String freed of excess whitespace + */ + function trim(str) { +- return str.replace(/^\s*/, '').replace(/\s*$/, ''); ++ return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, ''); + } + + /** diff --git a/debian/patches/series b/debian/patches/series index 877fd7a..1f39c51 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ skip-unneeded-modules.patch use-webpack3.patch CVE-2019-10742.diff +CVE-2021-3749.patch diff --git a/debian/patches/skip-unneeded-modules.patch b/debian/patches/skip-unneeded-modules.patch index 9c63950..6f69f30 100644 --- a/debian/patches/skip-unneeded-modules.patch +++ b/debian/patches/skip-unneeded-modules.patch @@ -2,7 +2,7 @@ These are optional modules --- a/package.json +++ b/package.json -@@ -38,10 +38,6 @@ +@@ -39,10 +39,6 @@ "grunt-cli": "^1.2.0", "grunt-contrib-clean": "^1.0.0", "grunt-contrib-nodeunit": "^1.0.0", diff --git a/debian/patches/use-webpack3.patch b/debian/patches/use-webpack3.patch index 43e264b..8f140f7 100644 --- a/debian/patches/use-webpack3.patch +++ b/debian/patches/use-webpack3.patch @@ -10,7 +10,7 @@ Subject: [PATCH] Updating webpack to v3.x --- a/package.json +++ b/package.json -@@ -38,7 +38,7 @@ +@@ -39,7 +39,7 @@ "grunt-cli": "^1.2.0", "grunt-contrib-clean": "^1.0.0", "grunt-contrib-nodeunit": "^1.0.0", @@ -19,7 +19,7 @@ Subject: [PATCH] Updating webpack to v3.x "istanbul-instrumenter-loader": "^1.0.0", "jasmine-core": "^2.4.1", "karma": "^1.3.0", -@@ -58,10 +58,10 @@ +@@ -59,10 +59,10 @@ "minimist": "^1.2.0", "phantomjs-prebuilt": "^2.1.7", "sinon": "^1.17.4",