[Pkg-javascript-devel] Bug#927716: marked as done (CVE-2018-1109)

Debian Bug Tracking System Fri, 26 Apr 2019 12:03:57 -0700

Your message dated Fri, 26 Apr 2019 21:01:10 +0200
with message-id <20190426190110.GA20258@eldamar.local>
and subject line Re: Bug#927716: [Pkg-javascript-devel] Bug#927716: 
CVE-2018-1109
has caused the Debian Bug report #927716,
regarding CVE-2018-1109
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
927716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927716
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: node-braces
Severity: important
Tags: security

Please see https://snyk.io/vuln/npm:braces:20180219

Patch:
https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451

Cheers,
        Moritz

--- End Message ---

--- Begin Message ---

Control: notfound 927716 2.0.2-2

Hi Xavier,

On Fri, Apr 26, 2019 at 07:52:55PM +0200, Xavier wrote:
> Le 26/04/2019 à 19:40, Xavier a écrit :
> > [...]
> > Hello,
> > 
> > The regex that causes CVE-2018-1109 was introduced in upstream version
> > 2.2.0, commit dcc1acab [1]. So Buster node-braces seems not concerned by
> > this CVE.
> > 
> > https://snyk.io/vuln/npm:braces:20180219 extract :
> > 
> >> braces is a Bash-like brace expansion, implemented in JavaScript.
> >>
> >> Affected versions of this package are vulnerable to Regular Expression
> >> Denial of Service (ReDoS) attacks. It used a regular expression
> >> (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty
> >> braces. This can cause an impact of about 10 seconds matching time for
> >> data 50K characters long.
> > 
> >  [...]
> > 
> > No regexp in 2.0.2 contains such expression.
> > 
> > Time to close this issue ?
> > 
> > Cheers,
> > Xavier
> > 
> > [1]:
> > https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113
> > [2]:
> > https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
> 
> Confirmed by https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1109

Thanks for the troughfully analysis of the issue! Agreed then we can
close the bugreport. I have updated the security-tracker accordingly
in
https://salsa.debian.org/security-tracker-team/security-tracker/commit/02a96c8eab5fc8f7bb8ddcdfed28fb8cf3d03d4f
.

Regards,
Salvatore

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#927716: marked as done (CVE-2018-1109)

Reply via email to