Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ] node-hosted-git-info is vulnerable to RegExp Denial of Service [ Impact ] Medium security risk [ Tests ] Upstream test still pass with this patch [ Risks ] Trivial change [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] shortcutMatch regex is cut in two piece: - a more simple regexp - a distinc change to remove .git suffix Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index b4038a0..f8baeef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-hosted-git-info (2.7.1-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix ReDoS risk (Closes: CVE-2021-23362) + + -- Yadd <y...@debian.org> Fri, 26 Mar 2021 15:17:21 +0100 + node-hosted-git-info (2.7.1-1) unstable; urgency=medium * New upstream version 2.7.1 diff --git a/debian/patches/CVE-2021-23362.patch b/debian/patches/CVE-2021-23362.patch new file mode 100644 index 0000000..cadac62 --- /dev/null +++ b/debian/patches/CVE-2021-23362.patch @@ -0,0 +1,28 @@ +Description: avoid ReDoS +Author: nlf <quitla...@gmail.com> +Origin: upstream, https://github.com/npm/hosted-git-info/commit/bede0dc3 +Bug: https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355 +Forwarded: not-needed +Reviewed-By: Xavier Guimard <y...@debian.org> +Last-Update: 2021-03-26 + +--- a/index.js ++++ b/index.js +@@ -42,7 +42,7 @@ + isGitHubShorthand(giturl) ? 'github:' + giturl : giturl + ) + var parsed = parseGitUrl(url) +- var shortcutMatch = url.match(new RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)')) ++ var shortcutMatch = url.match(/^([^:]+):(?:[^@]+@)?(?:([^/]*)\/)?([^#]+)/) + var matches = Object.keys(gitHosts).map(function (gitHostName) { + try { + var gitHostInfo = gitHosts[gitHostName] +@@ -56,7 +56,7 @@ + var defaultRepresentation = null + if (shortcutMatch && shortcutMatch[1] === gitHostName) { + user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2]) +- project = decodeURIComponent(shortcutMatch[3]) ++ project = decodeURIComponent(shortcutMatch[3].replace(/\.git$/, '')) + defaultRepresentation = 'shortcut' + } else { + if (parsed.host && parsed.host !== gitHostInfo.domain && parsed.host.replace(/^www[.]/, '') !== gitHostInfo.domain) return diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..cc0f664 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-23362.patch