Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-hawk used a regular expression to parse `Host` HTTP header
(`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack
(CVE-2022-29167).
[ Impact ]
Medium security issue
[ Tests ]
Sadly test were not launched in Bullseye
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Replace custom url parsing by `url` functions.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 7a55fa8..a913487 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-hawk (8.0.1+dfsg-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Parse URLs using stdlib (Closes: CVE-2022-29167)
+
+ -- Yadd Sun, 04 Dec 2022 11:39:16 +0100
+
node-hawk (8.0.1+dfsg-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-29167.patch
b/debian/patches/CVE-2022-29167.patch
new file mode 100644
index 000..2c41b08
--- /dev/null
+++ b/debian/patches/CVE-2022-29167.patch
@@ -0,0 +1,57 @@
+Description: Parse URLs using stdlib
+Author: Yaraslau Kurmyza
+Origin: upstream, https://github.com/mozilla/hawk/commit/ade13411
+Bug: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
+Forwarded: not-needed
+Applied-Upstream: 9.0.1, ade13411
+Reviewed-By: Yadd
+Last-Update: 2022-12-04
+
+--- a/lib/utils.js
b/lib/utils.js
+@@ -2,6 +2,7 @@
+
+ const Boom = require('@hapi/boom');
+ const Sntp = require('@hapi/sntp');
++const Url = require('url');
+
+
+ const internals = {};
+@@ -18,17 +19,19 @@
+ };
+
+
+-// Extract host and port from request
+-
+-//$1$2
+-internals.hostHeaderRegex =
/^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/;
// (IPv4, hostname)|(IPv6)
+-
+-
+ exports.parseHost = function (req, hostHeaderName) {
+
+ hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
+ const hostHeader = req.headers[hostHeaderName];
+-if (!hostHeader) {
++if (hostHeader.indexOf('/') !== -1) {
++return null;
++}
++
++let uri;
++try {
++uri = new Url.URL('http://' + hostHeader);
++}
++catch (err) {
+ return null;
+ }
+
+@@ -42,8 +45,8 @@
+ }
+
+ return {
+-name: hostParts[1],
+-port: (hostParts[2] ? hostParts[2] : (req.connection &&
req.connection.encrypted ? 443 : 80))
++name: uri.hostname,
++port: (uri.port ? uri.port : (req.connection &&
req.connection.encrypted ? 443 : 80))
+ };
+ };
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..43fa212
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-29167.patch