Processed: Re: Bug#1025414: bullseye-pu: package node-hawk/8.0.1+dfsg-2+deb11u1

2022-12-07 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1025414 [release.debian.org] bullseye-pu: package 
node-hawk/8.0.1+dfsg-2+deb11u1
Added tag(s) confirmed.

-- 
1025414: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1025414
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1025414: bullseye-pu: package node-hawk/8.0.1+dfsg-2+deb11u1

2022-12-07 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2022-12-04 at 11:42 +0100, Yadd wrote:
> node-hawk used a regular expression to parse `Host` HTTP header
> (`Hawk.utils.parseHost()`), which was subject to regular expression
> DoS attack
> (CVE-2022-29167).
> 

Please go ahead.

Regards,

Adam

Bug#1025414: bullseye-pu: package node-hawk/8.0.1+dfsg-2+deb11u1

2022-12-04 Thread Yadd 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-hawk used a regular expression to parse `Host` HTTP header
(`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack
(CVE-2022-29167).

[ Impact ]
Medium security issue

[ Tests ]
Sadly test were not launched in Bullseye

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Replace custom url parsing by `url` functions.

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 7a55fa8..a913487 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-hawk (8.0.1+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Parse URLs using stdlib (Closes: CVE-2022-29167)
+
+ -- Yadd   Sun, 04 Dec 2022 11:39:16 +0100
+
 node-hawk (8.0.1+dfsg-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-29167.patch 
b/debian/patches/CVE-2022-29167.patch
new file mode 100644
index 000..2c41b08
--- /dev/null
+++ b/debian/patches/CVE-2022-29167.patch
@@ -0,0 +1,57 @@
+Description: Parse URLs using stdlib
+Author: Yaraslau Kurmyza 
+Origin: upstream, https://github.com/mozilla/hawk/commit/ade13411
+Bug: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
+Forwarded: not-needed
+Applied-Upstream: 9.0.1, ade13411
+Reviewed-By: Yadd 
+Last-Update: 2022-12-04
+
+--- a/lib/utils.js
 b/lib/utils.js
+@@ -2,6 +2,7 @@
+ 
+ const Boom = require('@hapi/boom');
+ const Sntp = require('@hapi/sntp');
++const Url = require('url');
+ 
+ 
+ const internals = {};
+@@ -18,17 +19,19 @@
+ };
+ 
+ 
+-// Extract host and port from request
+-
+-//$1$2
+-internals.hostHeaderRegex = 
/^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/;  
// (IPv4, hostname)|(IPv6)
+-
+-
+ exports.parseHost = function (req, hostHeaderName) {
+ 
+ hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
+ const hostHeader = req.headers[hostHeaderName];
+-if (!hostHeader) {
++if (hostHeader.indexOf('/') !== -1) {
++return null;
++}
++
++let uri;
++try {
++uri = new Url.URL('http://' + hostHeader);
++}
++catch (err) {
+ return null;
+ }
+ 
+@@ -42,8 +45,8 @@
+ }
+ 
+ return {
+-name: hostParts[1],
+-port: (hostParts[2] ? hostParts[2] : (req.connection && 
req.connection.encrypted ? 443 : 80))
++name: uri.hostname,
++port: (uri.port ? uri.port : (req.connection && 
req.connection.encrypted ? 443 : 80))
+ };
+ };
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..43fa212
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-29167.patch