Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-ws [ Reason ] node-ws is vulnerable to a ReDoS: A specially crafted value of the `Sec-Websocket-Protocol` header could be used to significantly slow down a ws server. [ Impact ] Medium vulnerability [ Tests ] No change in test [ Risks ] No risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-ws/7.4.2+~cs18.0.8-2
diff --git a/debian/changelog b/debian/changelog index 5c44772..f349028 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-ws (7.4.2+~cs18.0.8-2) unstable; urgency=medium + + * Team upload + * Fix GitHub tags regex + * Fix ReDoS vulnerability (Closes: CVE-2021-32640) + + -- Yadd <y...@debian.org> Wed, 26 May 2021 08:26:30 +0200 + node-ws (7.4.2+~cs18.0.8-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-32640.patch b/debian/patches/CVE-2021-32640.patch new file mode 100644 index 0000000..648faae --- /dev/null +++ b/debian/patches/CVE-2021-32640.patch @@ -0,0 +1,40 @@ +Description: Fix ReDoS vulnerability + A specially crafted value of the `Sec-Websocket-Protocol` header could + be used to significantly slow down a ws server. + . + PoC and fix were sent privately by Robert McLaughlin from University of + California, Santa Barbara. +Author: Luigi Pinca <luigipi...@gmail.com> +Origin: upstream, https://github.com/websockets/ws/commit/00c425e +Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-05-26 + +--- a/lib/websocket-server.js ++++ b/lib/websocket-server.js +@@ -286,7 +286,7 @@ + let protocol = req.headers['sec-websocket-protocol']; + + if (protocol) { +- protocol = protocol.trim().split(/ *, */); ++ protocol = protocol.split(',').map(trim); + + // + // Optionally call external protocol selection handler. +@@ -404,3 +404,15 @@ + socket.removeListener('error', socketOnError); + socket.destroy(); + } ++ ++/** ++ * Remove whitespace characters from both ends of a string. ++ * ++ * @param {String} str The string ++ * @return {String} A new string representing `str` stripped of whitespace ++ * characters from both its beginning and end ++ * @private ++ */ ++function trim(str) { ++ return str.trim(); ++} diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..c58b9aa --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-32640.patch diff --git a/debian/watch b/debian/watch index aa7ee90..8d06a3a 100644 --- a/debian/watch +++ b/debian/watch @@ -1,32 +1,32 @@ version=4 opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/ws-$1.tar.gz/,\ dversionmangle=auto \ -https://github.com/websockets/ws/tags .*/archive/v?([\d\.]+).tar.gz group +https://github.com/websockets/ws/tags .*/archive/.*/v?([\d\.]+).tar.gz group opts=\ ctype=nodejs,\ component=utf-8-validate,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-utf-8-validate-$1.tar.gz/ \ - https://github.com/websockets/utf-8-validate/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/websockets/utf-8-validate/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum opts=\ ctype=nodejs,\ component=bufferutil,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-bufferutil-$1.tar.gz/ \ - https://github.com/websockets/bufferutil/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/websockets/bufferutil/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum opts=\ ctype=nodejs,\ component=wscat,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-wscat-$1.tar.gz/ \ - https://github.com/websockets/wscat/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/websockets/wscat/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum opts=\ ctype=nodejs,\ component=https-proxy-agent,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-node-https-proxy-agent-$1.tar.gz/ \ - https://github.com/TooTallNate/node-https-proxy-agent/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/TooTallNate/node-https-proxy-agent/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum