On 28/11/2022 22:11, Paul Gevers wrote:
Hi Yadd,
On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt
<a...@adam-barratt.org.uk> wrote:
The upload referenced by this bug report has been flagged for
acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: node-minimatch
Version: 3.0.4+~3.0.3-1+deb11u1
Explanation: improve protection against regular expression-based
denial of service [CVE-2022-3517]
The upload breaks [1] the autopkgtest of node-glob. Can you have a look?
Paul
[1] https://ci.debian.net/packages/n/node-glob/stable/amd64/
4 failing
1) test/nocase-nomagic.js nocase, nomagic should be equivalent:
Error: should be equivalent
+ expected - actual
-[]
+[
+ "/TMP/A"
+ "/TMP/a"
+ "/tMP/A"
+ "/tMP/a"
+ "/tMp/A"
+ "/tMp/a"
+ "/tmp/A"
+ "/tmp/a"
+]
at test/nocase-nomagic.js:98:7
at f (/usr/lib/nodejs/once/once.js:25:25)
at Glob.<anonymous> (/usr/share/nodejs/glob/glob.js:151:7)
at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8)
at done (/usr/share/nodejs/glob/glob.js:182:14)
at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12)
at /usr/share/nodejs/glob/glob.js:676:10
at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12)
at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12)
at RES (/usr/lib/nodejs/inflight/inflight.js:31:16)
at f (/usr/lib/nodejs/once/once.js:25:25)
2) test/nocase-nomagic.js nocase, nomagic should be equivalent:
Error: should be equivalent
+ expected - actual
-[]
+[
+ "/TMP/A"
+ "/TMP/a"
+ "/tMP/A"
+ "/tMP/a"
+ "/tMp/A"
+ "/tMp/a"
+ "/tmp/A"
+ "/tmp/a"
+]
at test/nocase-nomagic.js:108:7
at f (/usr/lib/nodejs/once/once.js:25:25)
at Glob.<anonymous> (/usr/share/nodejs/glob/glob.js:151:7)
at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8)
at done (/usr/share/nodejs/glob/glob.js:182:14)
at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12)
at /usr/share/nodejs/glob/glob.js:676:10
at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12)
at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12)
at RES (/usr/lib/nodejs/inflight/inflight.js:31:16)
at f (/usr/lib/nodejs/once/once.js:25:25)
3) test/nocase-nomagic.js nocase, with some magic should be equivalent:
Error: should be equivalent
+ expected - actual
[
+ "/TMP/A"
+ "/TMP/a"
+ "/tMP/A"
+ "/tMP/a"
+ "/tMp/A"
+ "/tMp/a"
"/tmp/A"
"/tmp/a"
]
at test/nocase-nomagic.js:137:7
at f (/usr/lib/nodejs/once/once.js:25:25)
at Glob.<anonymous> (/usr/share/nodejs/glob/glob.js:151:7)
at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8)
at done (/usr/share/nodejs/glob/glob.js:182:14)
at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12)
at /usr/share/nodejs/glob/glob.js:371:17
at RES (/usr/lib/nodejs/inflight/inflight.js:31:16)
at f (/usr/lib/nodejs/once/once.js:25:25)
at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10)
at /usr/share/nodejs/glob/glob.js:555:12
at test/nocase-nomagic.js:62:9
4) test/nocase-nomagic.js nocase, with some magic should be equivalent:
Error: should be equivalent
+ expected - actual
[
+ "/TMP/A"
+ "/TMP/a"
+ "/tMP/A"
+ "/tMP/a"
+ "/tMp/A"
+ "/tMp/a"
"/tmp/A"
"/tmp/a"
]
at test/nocase-nomagic.js:147:7
at f (/usr/lib/nodejs/once/once.js:25:25)
at Glob.<anonymous> (/usr/share/nodejs/glob/glob.js:151:7)
at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8)
at done (/usr/share/nodejs/glob/glob.js:182:14)
at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12)
at /usr/share/nodejs/glob/glob.js:371:17
at RES (/usr/lib/nodejs/inflight/inflight.js:31:16)
at f (/usr/lib/nodejs/once/once.js:25:25)
at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10)
at /usr/share/nodejs/glob/glob.js:555:12
at test/nocase-nomagic.js:62:9
Hi,
the problem is in this part of minimatch.js patch:
@@ -280,7 +306,7 @@
if (pattern === '') return ''
var re = ''
- var hasMagic = !!options.nocase
+ var hasMagic = false
var escaping = false
// ? => one single character
var patternListStack = []
We should apply this patch:
https://github.com/isaacs/minimatch/commit/e4cd4346
I'm going to prepare a new upload