Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package node-glob-parent [ Reason ] node-glob-parent is vulnerable to Regex Denial of Service (ReDoS), CVE-2020-28469 [ Impact ] Medium vulnerability [ Tests ] Test passed (build & autopkgtest), including new upstream check related to this vulnerability [ Risks ] Low risk: upstream patch applied without any change [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Patch is trivial, just a regex update Cheers, Yadd unblock node-glob-parent/5.1.1+~5.1.0-2
diff --git a/debian/changelog b/debian/changelog index 3e6f1d0..e60f126 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-glob-parent (5.1.1+~5.1.0-2) unstable; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2020-28469) + + -- Yadd <[email protected]> Fri, 16 Apr 2021 13:34:51 +0200 + node-glob-parent (5.1.1+~5.1.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2020-28469.patch b/debian/patches/CVE-2020-28469.patch new file mode 100644 index 0000000..99478a6 --- /dev/null +++ b/debian/patches/CVE-2020-28469.patch @@ -0,0 +1,36 @@ +Description: fix ReDoS vulnerability + This change fixes a regular expression denial of service vulnerability. +Author: Rich Trott <[email protected]> +Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168 +Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-04-16 + +--- a/index.js ++++ b/index.js +@@ -6,7 +6,7 @@ + + var slash = '/'; + var backslash = /\\/g; +-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/; ++var enclosure = /[\{\[].*[\}\]]$/; + var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; + var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g; + +--- a/test/index.test.js ++++ b/test/index.test.js +@@ -209,6 +209,13 @@ + + done(); + }); ++ ++ it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) { ++ // This will time out if susceptible. ++ gp('{' + '/'.repeat(5000)); ++ ++ done(); ++ }); + }); + + if (isWin32) { diff --git a/debian/patches/series b/debian/patches/series index 439519e..421e1b0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ is-glob-4-compat.patch +CVE-2020-28469.patch
