Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-ua-parser...@packages.debian.org Control: affects -1 + src:node-ua-parser-js
Please unblock package node-ua-parser-js [ Reason ] node-ua-parser-js is vulnerable to a Regex DoS (CVE-2022-25927) [ Impact ] Low security issue [ Tests ] No new test, current still pass [ Risks ] No risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-ua-parser-js/0.8.1+ds+~0.7.36-3
diff --git a/debian/changelog b/debian/changelog index 97dc70f..fe75bc4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-ua-parser-js (0.8.1+ds+~0.7.36-3) unstable; urgency=medium + + * Team upload + * Update standards version to 4.6.2, no changes needed. + * Remove unsafe and ueless regex (Closes: CVE-2022-25927) + + -- Yadd <y...@debian.org> Sun, 09 Apr 2023 07:47:39 +0400 + node-ua-parser-js (0.8.1+ds+~0.7.36-2) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/control b/debian/control index a65ee3c..5156727 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: debhelper-compat (= 13) , node-requirejs <!nocheck> , node-safe-regex <!nocheck> , terser -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-ua-parser-js Vcs-Git: https://salsa.debian.org/js-team/node-ua-parser-js.git Homepage: https://github.com/faisalman/ua-parser-js diff --git a/debian/patches/CVE-2022-25927.patch b/debian/patches/CVE-2022-25927.patch new file mode 100644 index 0000000..23e19bd --- /dev/null +++ b/debian/patches/CVE-2022-25927.patch @@ -0,0 +1,22 @@ +Description: Remove unsafe regex in trim() function + `trim()` function contains a regular expression that is vulnerable to + ReDoS but was uncaught by `safe-regex` module +Author: Faisal Salman <f...@faisalman.com> +Origin: upstream, https://github.com/faisalman/ua-parser-js/commit/a6140a17 +Bug: https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450 +Forwarded: not-needed +Applied-Upstream: 1.0.33, commit:a6140a17 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-04-09 + +--- a/src/ua-parser.js ++++ b/src/ua-parser.js +@@ -92,7 +92,7 @@ + }, + trim = function (str, len) { + if (typeof(str) === STR_TYPE) { +- str = str.replace(/^\s\s*/, EMPTY).replace(/\s\s*$/, EMPTY); ++ str = str.replace(/^\s\s*/, EMPTY); + return typeof(len) === UNDEF_TYPE ? str : str.substring(0, UA_MAX_LENGTH); + } + }; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..8115996 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-25927.patch
