Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Wed, 2021-05-26 at 12:45 +0200, Yadd wrote:
> Here is the missing debdiff

Please go ahead.

Regards,

Adam

Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1

[Yadd]

Here is the missing debdiff
diff --git a/debian/changelog b/debian/changelog
index d8d3387..20f5a00 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ws (1.1.0+ds1.e6ddaae4-5+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix ReDoS vulnerability (Closes: CVE-2021-32640)
+
+ -- Yadd   Wed, 26 May 2021 12:33:11 +0200
+
 node-ws (1.1.0+ds1.e6ddaae4-5) unstable; urgency=medium
 
   * Add upstream/metadata
diff --git a/debian/patches/CVE-2021-32640.patch 
b/debian/patches/CVE-2021-32640.patch
new file mode 100644
index 000..fd4c9dc
--- /dev/null
+++ b/debian/patches/CVE-2021-32640.patch
@@ -0,0 +1,49 @@
+Description: Fix ReDoS vulnerability
+ A specially crafted value of the `Sec-Websocket-Protocol` header could
+ be used to significantly slow down a ws server.
+ .
+ PoC and fix were sent privately by Robert McLaughlin from University of
+ California, Santa Barbara.
+Author: Luigi Pinca 
+Origin: upstream, https://github.com/websockets/ws/commit/00c425e
+Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2021-05-26
+
+--- a/lib/WebSocketServer.js
 b/lib/WebSocketServer.js
+@@ -289,7 +289,7 @@
+   var completeHybiUpgrade1 = function() {
+ // choose from the sub-protocols
+ if (typeof self.options.handleProtocols == 'function') {
+-var protList = (protocols || "").split(/, */);
++var protList = (protocols || "").split(',').map(trim);
+ var callbackCalled = false;
+ var res = self.options.handleProtocols(protList, function(result, 
protocol) {
+   callbackCalled = true;
+@@ -303,7 +303,7 @@
+ return;
+ } else {
+ if (typeof protocols !== 'undefined') {
+-completeHybiUpgrade2(protocols.split(/, */)[0]);
++completeHybiUpgrade2(protocols.split(',').map(trim)[0]);
+ }
+ else {
+ completeHybiUpgrade2();
+@@ -552,3 +552,15 @@
+ try { socket.destroy(); } catch (e) {}
+   }
+ }
++
++/**
++ * Remove whitespace characters from both ends of a string.
++ *
++ * @param {String} str The string
++ * @return {String} A new string representing `str` stripped of whitespace
++ * characters from both its beginning and end
++ * @private
++ */
++function trim(str) {
++  return str.trim();
++}
diff --git a/debian/patches/series b/debian/patches/series
index 0556eb7..e5cc10a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ disable-debian-failing-tests
 fix-failing-tests
 increase-test-timeout
 node-ads-120.diff
+CVE-2021-32640.patch

Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-ws is vulnerable to re regex denial of service (ReDoS)
(CVE-2021-32640).

[ Impact ]
A specially crafted value of the `Sec-Websocket-Protocol` header could
be used to significantly slow down a ws server.

[ Tests ]
No change in test, it passed.

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just replace:

  split(/, */)

by

  split(',').map(s => s.trim())

[ Other info ]
I adapted patch from 7.4.2 to 1.1.0

Cheers,
Yadd