Your message dated Thu, 12 Jun 2025 19:50:17 +0000
with message-id <[email protected]>
and subject line unblock node-brace-expansion
has caused the Debian Bug report #1107701,
regarding unblock: node-brace-expansion/2.0.1+~1.1.0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1107701: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107701
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:node-brace-expansion
User: [email protected]
Usertags: unblock
Please unblock package node-brace-expansion
[ Reason ]
node-brace-expansion is vulnerable to a Regex DoS (#1107695,
CVE-2025-5889)
[ Impact ]
Medium security issue
[ Tests ]
Test added in this patch
[ Risks ]
Low risk, patch is trivial and test passed
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock node-brace-expansion/2.0.1+~1.1.0-2
diff --git a/debian/changelog b/debian/changelog
index 8469a60..48af48f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-brace-expansion (2.0.1+~1.1.0-2) unstable; urgency=medium
+
+ * Declare compliance with policy 4.7.2
+ * Fix potential ReDoS vulnerability or inefficient regular expression
+ (Closes: #1107695, CVE-2025-5889)
+
+ -- Yadd <[email protected]> Thu, 12 Jun 2025 11:55:12 +0200
+
node-brace-expansion (2.0.1+~1.1.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 96d4fc6..da61939 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Build-Depends: debhelper-compat (= 13)
, dh-sequence-nodejs
, node-balanced-match <!nocheck>
, node-tape <!nocheck>
-Standards-Version: 4.6.2
+Standards-Version: 4.7.2
Vcs-Browser: https://salsa.debian.org/js-team/node-brace-expansion
Vcs-Git: https://salsa.debian.org/js-team/node-brace-expansion.git
Homepage: https://github.com/juliangruber/brace-expansion
diff --git a/debian/patches/CVE-2025-5889.patch
b/debian/patches/CVE-2025-5889.patch
new file mode 100644
index 0000000..9eaa54c
--- /dev/null
+++ b/debian/patches/CVE-2025-5889.patch
@@ -0,0 +1,36 @@
+Description: fix potential ReDoS vulnerability or inefficient regular
expression in project
+Author: mmmsssttt404 <[email protected]>
+Origin: upstream,
https://patch-diff.githubusercontent.com/raw/juliangruber/brace-expansion/pull/65
+Bug: https://github.com/juliangruber/brace-expansion/issues/66
+Bug-Debian: https://bugs.debian.org/1107695
+Forwarded: not-needed
+Applied-Upstream: 2.0.2,
https://github.com/juliangruber/brace-expansion/commit/36603d5f
+Reviewed-By: Yadd <[email protected]>
+Last-Update: 2025-06-12
+
+--- a/index.js
++++ b/index.js
+@@ -116,7 +116,7 @@
+ var isOptions = m.body.indexOf(',') >= 0;
+ if (!isSequence && !isOptions) {
+ // {a},b}
+- if (m.post.match(/,.*\}/)) {
++ if (m.post.match(/,(?!,).*\}/)) {
+ str = m.pre + '{' + m.body + escClose + m.post;
+ return expand(str);
+ }
+--- /dev/null
++++ b/test/redos.js
+@@ -0,0 +1,12 @@
++import test from 'node:test'
++import assert from 'assert'
++import expand from '../index.js'
++
++test('redos', function () {
++let str = "{a}" + ",".repeat(100000) + "\u0000";
++ let startTime = performance.now();
++ expand(str)
++ let endTime = performance.now();
++ let timeTaken = endTime - startTime;
++ assert.ok(timeTaken < 10000, `Expected time (${timeTaken}ms) to be less
than 10000ms`);
++})
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d36590c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2025-5889.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
