Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 04/12/2022 19:11, Adam D. Barratt wrote: [...] Hi, no that's the reverse, I cleaned deb11u1 patch in deb11u2, see https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42 (cumulative debdiff) Right, apparently I was confused by the (not entirely clear, at least to me) filenames. Regards, Adam Yes, sorry I introduced unneeded changes in deb11u1. deb11u2 cleans this and fixes node-glob regression
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On Sun, 2022-12-04 at 19:07 +0100, Yadd wrote: > On 04/12/2022 19:03, Adam D. Barratt wrote: > > On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote: > > > On 29/11/2022 10:56, Yadd wrote: > > > > On 28/11/2022 22:11, Paul Gevers wrote: > > > > > Hi Yadd, > > > > > > > > > > On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt > > > > > wrote: > > > > > > The upload referenced by this bug report has been flagged > > > > > > for > > > > > > acceptance into the proposed-updates queue for Debian > > > > > > bullseye. > > > > > > > > > > > > Thanks for your contribution! > > > > > > > > > > > > Upload details > > > > > > == > > > > > > > > > > > > Package: node-minimatch > > > > > > Version: 3.0.4+~3.0.3-1+deb11u1 > > > > > > > > > > > > Explanation: improve protection against regular expression- > > > > > > based > > > > > > denial of service [CVE-2022-3517] > > > > > > > > > > The upload breaks [1] the autopkgtest of node-glob. Can you > > > > > have > > > > > a look? > > > > > > > [...] > > > > the problem is in this part of minimatch.js patch: > > > > > > > > @@ -280,7 +306,7 @@ > > > > if (pattern === '') return '' > > > > > > > > var re = '' > > > > - var hasMagic = !!options.nocase > > > > + var hasMagic = false > > > > var escaping = false > > > > // ? => one single character > > > > var patternListStack = [] > > > > > > > > We should apply this patch: > > > > https://github.com/isaacs/minimatch/commit/e4cd4346 > > > > > > > > I'm going to prepare a new upload > > > > > > Here is a new debdiff: > > >* this cleans CVE-2022-3517 patch (package*.json changes not > > > needed) > > >* this includes regressions fixes from 3.0.6 and 3.0.7 > > > > > > > If the huge package*.json changes aren't needed, then why are they > > included? Your stable -> deb11u2 diff contains a *lot* of noise > > with > > the changes to package-lock.json. > > > > Other than that, the patch does look like it's just the (still > > quite > > large) changes from upstream relating to the CVE, so please go > > ahead. > > > > Regards, > > Hi, > > no that's the reverse, I cleaned deb11u1 patch in deb11u2, see > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42 > > (cumulative debdiff) > Right, apparently I was confused by the (not entirely clear, at least to me) filenames. Regards, Adam
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 04/12/2022 19:03, Adam D. Barratt wrote: On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote: On 29/11/2022 10:56, Yadd wrote: On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression- based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? [...] the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload Here is a new debdiff: * this cleans CVE-2022-3517 patch (package*.json changes not needed) * this includes regressions fixes from 3.0.6 and 3.0.7 If the huge package*.json changes aren't needed, then why are they included? Your stable -> deb11u2 diff contains a *lot* of noise with the changes to package-lock.json. Other than that, the patch does look like it's just the (still quite large) changes from upstream relating to the CVE, so please go ahead. Regards, Hi, no that's the reverse, I cleaned deb11u1 patch in deb11u2, see https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42 (cumulative debdiff) Cheers, Yadd
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote: > On 29/11/2022 10:56, Yadd wrote: > > On 28/11/2022 22:11, Paul Gevers wrote: > > > Hi Yadd, > > > > > > On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt > > > wrote: > > > > The upload referenced by this bug report has been flagged for > > > > acceptance into the proposed-updates queue for Debian bullseye. > > > > > > > > Thanks for your contribution! > > > > > > > > Upload details > > > > == > > > > > > > > Package: node-minimatch > > > > Version: 3.0.4+~3.0.3-1+deb11u1 > > > > > > > > Explanation: improve protection against regular expression- > > > > based > > > > denial of service [CVE-2022-3517] > > > > > > The upload breaks [1] the autopkgtest of node-glob. Can you have > > > a look? > > > [...] > > the problem is in this part of minimatch.js patch: > > > > @@ -280,7 +306,7 @@ > > if (pattern === '') return '' > > > > var re = '' > > - var hasMagic = !!options.nocase > > + var hasMagic = false > > var escaping = false > > // ? => one single character > > var patternListStack = [] > > > > We should apply this patch: > > https://github.com/isaacs/minimatch/commit/e4cd4346 > > > > I'm going to prepare a new upload > > Here is a new debdiff: > * this cleans CVE-2022-3517 patch (package*.json changes not > needed) > * this includes regressions fixes from 3.0.6 and 3.0.7 > If the huge package*.json changes aren't needed, then why are they included? Your stable -> deb11u2 diff contains a *lot* of noise with the changes to package-lock.json. Other than that, the patch does look like it's just the (still quite large) changes from upstream relating to the CVE, so please go ahead. Regards, Adam
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 29/11/2022 11:25, Yadd wrote: On 29/11/2022 11:14, Yadd wrote: On 29/11/2022 10:56, Yadd wrote: On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [...] Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload Here is a new debdiff: * this cleans CVE-2022-3517 patch (package*.json changes not needed) * this includes regressions fixes from 3.0.6 and 3.0.7 To help, I built a cumulative debdiff (u1 + u2), easier to read. Do I have to open a new BTS ? Cheers, Yadd Of course, verified with node-glob, all is OK now Hi, can I push this new version to stable-proposed-updates ?
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 29/11/2022 11:14, Yadd wrote: On 29/11/2022 10:56, Yadd wrote: On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [...] Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload Here is a new debdiff: * this cleans CVE-2022-3517 patch (package*.json changes not needed) * this includes regressions fixes from 3.0.6 and 3.0.7 To help, I built a cumulative debdiff (u1 + u2), easier to read. Do I have to open a new BTS ? Cheers, Yadd Of course, verified with node-glob, all is OK now
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [1] https://ci.debian.net/packages/n/node-glob/stable/amd64/ 4 failing 1) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:98:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 2) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:108:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 3) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:137:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 4) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:147:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [1] https://ci.debian.net/packages/n/node-glob/stable/amd64/ 4 failing 1) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:98:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 2) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:108:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 3) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:137:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 4) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:147:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 OpenPGP_signature Description: OpenPGP digital signature
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
package release.debian.org tags 1022122 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517]