Processed: Re: Bug#1032134: bullseye-pu: package node-cookiejar/2.1.2-1+deb11u1

2023-04-01 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #1032134 [release.debian.org] bullseye-pu: package 
node-cookiejar/2.1.2-1+deb11u1
Added tag(s) confirmed.

-- 
1032134: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1032134: bullseye-pu: package node-cookiejar/2.1.2-1+deb11u1

2023-04-01 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Tue, 2023-02-28 at 18:00 +0400, Yadd wrote:
> node-cookiejar is vulnerable to ReDoS (CVE-2022-25901).
> 

Please go ahead.

Regards,

Adam

Bug#1032134: bullseye-pu: package node-cookiejar/2.1.2-1+deb11u1

2023-02-28 Thread Yadd 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-cookie...@packages.debian.org
Control: affects -1 + src:node-cookiejar

[ Reason ]
node-cookiejar is vulnerable to ReDoS (CVE-2022-25901).

[ Impact ]
Medium security issue.

[ Tests ]
Test passed

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Check if cookie is not too big

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index d31a10d..2ecbcad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-cookiejar (2.1.2-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add a guard against maliciously-sized cookies (Closes: CVE-2022-25901)
+
+ -- Yadd   Tue, 28 Feb 2023 17:55:16 +0400
+
 node-cookiejar (2.1.2-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-25901.patch 
b/debian/patches/CVE-2022-25901.patch
new file mode 100644
index 000..8933f32
--- /dev/null
+++ b/debian/patches/CVE-2022-25901.patch
@@ -0,0 +1,22 @@
+Description: add a guard against maliciously-sized cookies
+Author: Andy Burke 
+Bug: https://github.com/TheKingTermux/alice/issues/240
+Forwarded: not-needed
+Applied-Upstream: 2.1.4, https://github.com/bmeck/node-cookiejar/pull/39
+Reviewed-By: Yadd 
+Last-Update: 2023-02-28
+
+--- a/cookiejar.js
 b/cookiejar.js
+@@ -65,6 +65,11 @@
+ var cookie_str_splitter = /[:](?=\s*[a-zA-Z0-9_\-]+\s*[=])/g;
+ Cookie.prototype.parse = function parse(str, request_domain, 
request_path) {
+ if (this instanceof Cookie) {
++if ( str.length > 32768 ) {
++console.warn("Cookie too long for parsing (>32768 
characters)");
++return;
++}
++
+ var parts = str.split(";").filter(function (value) {
+ return !!value;
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..239e3ed
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-25901.patch