Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package node-redis [ Reason ] node-redis is vulnearable to a Regex Denial of Service [ Impact ] Medium security risk [ Tests ] No change in tests. Both build & autopkgtest passed [ Risks ] Change is trivial: just a regex fix. node-redis has no reverse dependencies for now, so no risk for other packages [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Patch also includes: * uploaders list update: Leo is MIA * GitHub regex fix in debian/watch unblock node-redis/3.0.2+~cs5.18.1-3
diff --git a/debian/changelog b/debian/changelog index 4f546a6..f25dee1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,14 @@ +node-redis (3.0.2+~cs5.18.1-3) UNRELEASED; urgency=medium + + * Fix GitHub tags regex + * Uploaders: remove Leo Iannacone, thanks for your work! + * Fix potential ReDoS (Closes: CVE-2021-29469) + + -- Yadd <[email protected]> Sun, 25 Apr 2021 13:54:43 +0200 + node-redis (3.0.2+~cs5.18.1-2) unstable; urgency=medium + [ Xavier Guimard ] * Add node-lodash-packages in test dependencies -- Xavier Guimard <[email protected]> Mon, 21 Dec 2020 06:13:22 +0100 diff --git a/debian/control b/debian/control index 8fecf53..de2c694 100644 --- a/debian/control +++ b/debian/control @@ -1,6 +1,6 @@ Source: node-redis Maintainer: Debian Javascript Maintainers <[email protected]> -Uploaders: Leo Iannacone <[email protected]>, Xavier Guimard <[email protected]> +Uploaders: Yadd <[email protected]> Section: javascript Priority: optional Build-Depends: debhelper-compat (= 13) diff --git a/debian/copyright b/debian/copyright index 24794c5..b0ec804 100644 --- a/debian/copyright +++ b/debian/copyright @@ -21,7 +21,7 @@ License: Expat Files: debian/* Copyright: 2014 Leo Iannacone <[email protected]> - 2019-2020 Xavier Guimard <[email protected]> + 2019-2020 Yadd <[email protected]> License: GPL-3 Files: debian/tests/test_modules/intercept-stdout/* diff --git a/debian/patches/CVE-2021-29469.patch b/debian/patches/CVE-2021-29469.patch new file mode 100644 index 0000000..d074802 --- /dev/null +++ b/debian/patches/CVE-2021-29469.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: Leibale Eidelman <[email protected]> +Origin: upstream, https://github.com/NodeRedis/node-redis/commit/2d11b6dc +Bug: https://github.com/NodeRedis/node-redis/issues/1569 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-04-25 + +--- a/lib/utils.js ++++ b/lib/utils.js +@@ -127,7 +127,7 @@ + reply_to_object: replyToObject, + print: print, + err_code: /^([A-Z]+)\s+(.+)$/, +- monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\]( ".+?")+$/, ++ monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\].*"$/, + clone: convenienceClone, + callback_or_emit: callbackOrEmit, + reply_in_order: replyInOrder diff --git a/debian/patches/series b/debian/patches/series index 73eead0..250556a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ avoid-failing-test.diff disable-tests-failing-with-redis-5.6.diff remove-cross-spawn.patch +CVE-2021-29469.patch diff --git a/debian/watch b/debian/watch index ebfa712..34f812e 100644 --- a/debian/watch +++ b/debian/watch @@ -1,7 +1,7 @@ version=4 opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-redis-$1.tar.gz/ \ - https://github.com/NodeRedis/node_redis/tags .*/archive/v?\.?([\d\.]+).tar.gz group + https://github.com/NodeRedis/node_redis/tags .*/archive/.*/v?\.?([\d\.]+).tar.gz group opts="searchmode=plain,pgpmode=none,ctype=nodejs,component=redis-commands" \ https://registry.npmjs.org/redis-commands https://registry.npmjs.org/redis-commands/-/redis-commands-(\d[\d\.]*)@ARCHIVE_EXT@ checksum
