Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: node-cookie...@packages.debian.org Control: affects -1 + src:node-cookiejar
[ Reason ] node-cookiejar is vulnerable to ReDoS (CVE-2022-25901). [ Impact ] Medium security issue. [ Tests ] Test passed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Check if cookie is not too big Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index d31a10d..2ecbcad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-cookiejar (2.1.2-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Add a guard against maliciously-sized cookies (Closes: CVE-2022-25901) + + -- Yadd <y...@debian.org> Tue, 28 Feb 2023 17:55:16 +0400 + node-cookiejar (2.1.2-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-25901.patch b/debian/patches/CVE-2022-25901.patch new file mode 100644 index 0000000..8933f32 --- /dev/null +++ b/debian/patches/CVE-2022-25901.patch @@ -0,0 +1,22 @@ +Description: add a guard against maliciously-sized cookies +Author: Andy Burke <andy.burke@mailbox.earth> +Bug: https://github.com/TheKingTermux/alice/issues/240 +Forwarded: not-needed +Applied-Upstream: 2.1.4, https://github.com/bmeck/node-cookiejar/pull/39 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-02-28 + +--- a/cookiejar.js ++++ b/cookiejar.js +@@ -65,6 +65,11 @@ + var cookie_str_splitter = /[:](?=\s*[a-zA-Z0-9_\-]+\s*[=])/g; + Cookie.prototype.parse = function parse(str, request_domain, request_path) { + if (this instanceof Cookie) { ++ if ( str.length > 32768 ) { ++ console.warn("Cookie too long for parsing (>32768 characters)"); ++ return; ++ } ++ + var parts = str.split(";").filter(function (value) { + return !!value; + }); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..239e3ed --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-25901.patch