Le 26/04/2019 à 19:40, Xavier a écrit : > [...] > Hello, > > The regex that causes CVE-2018-1109 was introduced in upstream version > 2.2.0, commit dcc1acab [1]. So Buster node-braces seems not concerned by > this CVE. > > https://snyk.io/vuln/npm:braces:20180219 extract : > >> braces is a Bash-like brace expansion, implemented in JavaScript. >> >> Affected versions of this package are vulnerable to Regular Expression >> Denial of Service (ReDoS) attacks. It used a regular expression >> (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty >> braces. This can cause an impact of about 10 seconds matching time for >> data 50K characters long. > > [...] > > No regexp in 2.0.2 contains such expression. > > Time to close this issue ? > > Cheers, > Xavier > > [1]: > https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113 > [2]: > https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
Confirmed by https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1109 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
