On 29/11/2022 11:14, Yadd wrote:
On 29/11/2022 10:56, Yadd wrote:
On 28/11/2022 22:11, Paul Gevers wrote:
Hi Yadd,
On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt
<a...@adam-barratt.org.uk> wrote:
The upload referenced by this bug report has been flagged for
acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: node-minimatch
Version: 3.0.4+~3.0.3-1+deb11u1
Explanation: improve protection against regular expression-based
denial of service [CVE-2022-3517]
The upload breaks [1] the autopkgtest of node-glob. Can you have a look?
Paul
[...]
Hi,
the problem is in this part of minimatch.js patch:
@@ -280,7 +306,7 @@
if (pattern === '') return ''
var re = ''
- var hasMagic = !!options.nocase
+ var hasMagic = false
var escaping = false
// ? => one single character
var patternListStack = []
We should apply this patch:
https://github.com/isaacs/minimatch/commit/e4cd4346
I'm going to prepare a new upload
Here is a new debdiff:
* this cleans CVE-2022-3517 patch (package*.json changes not needed)
* this includes regressions fixes from 3.0.6 and 3.0.7
To help, I built a cumulative debdiff (u1 + u2), easier to read.
Do I have to open a new BTS ?
Cheers,
Yadd
Of course, verified with node-glob, all is OK now
