Package: release.debian.org Severity: normal Tags: buster User: [email protected] Usertags: pu
[ Reason ] node-glob-parent is vulnerable to Regex Denial of Service (ReDoS) CVE-2020-28469 [ Impact ] Low vulnerability risk [ Tests ] No test backported from 5.1.0 branch [ Risks ] Trivial patch [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just a better regex check. Patch from upstream adapted to 3.1.0 Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 74d0753..46486a7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-glob-parent (3.1.0-1+deb10u1) unstable; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2020-28469) + + -- Yadd <[email protected]> Fri, 16 Apr 2021 13:46:41 +0200 + node-glob-parent (3.1.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2020-28469.patch b/debian/patches/CVE-2020-28469.patch new file mode 100644 index 0000000..663e173 --- /dev/null +++ b/debian/patches/CVE-2020-28469.patch @@ -0,0 +1,20 @@ +Description: fix ReDoS vulnerability + This change fixes a regular expression denial of service vulnerability. +Author: Rich Trott <[email protected]> +Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168 +Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-04-16 + +--- a/index.js ++++ b/index.js +@@ -10,7 +10,7 @@ + if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/'); + + // special case for strings ending in enclosure containing path separator +- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/'; ++ if (/[\{\[].*[\}\]]$/.test(str)) str += '/'; + + // preserves full path in case of trailing path separator + str += 'a'; diff --git a/debian/patches/series b/debian/patches/series index 439519e..421e1b0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ is-glob-4-compat.patch +CVE-2020-28469.patch
