Bug#869772: stretch-pu: package node-brace-expansion/1.1.6-1

To: submit@bugs.debian.org
Subject: Bug#869772: stretch-pu: package node-brace-expansion/1.1.6-1
From: Sruthi Chandran <srud@disroot.org>
Date: Wed, 26 Jul 2017 16:06:02 +0530
Message-id: <[🔎] 60bde8bb-6407-b773-ecc4-8adb4cabb269@disroot.org>
Reply-to: Sruthi Chandran <srud@disroot.org>, 869772@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This fixes security bug #862712 - regular expression denial of service.
debdiff attached.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Init: systemd (via /run/systemd/system)

diff -Nru node-brace-expansion-1.1.6/debian/changelog node-brace-expansion-1.1.6/debian/changelog
--- node-brace-expansion-1.1.6/debian/changelog	2016-10-25 22:29:22.000000000 +0530
+++ node-brace-expansion-1.1.6/debian/changelog	2017-07-26 15:46:15.000000000 +0530
@@ -1,3 +1,9 @@
+node-brace-expansion (1.1.6-1+deb9u1) stretch; urgency=medium
+
+  * Fix regular expression denial of service issue (Closes: 862712)
+
+ -- Sruthi Chandran <srud@disroot.org>  Wed, 26 Jul 2017 15:46:15 +0530
+
 node-brace-expansion (1.1.6-1) unstable; urgency=low
 
   [ Bas Couwenberg ]
diff -Nru node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch
--- node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch	1970-01-01 05:30:00.000000000 +0530
+++ node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch	2017-07-26 15:46:15.000000000 +0530
@@ -0,0 +1,23 @@
+From b13381281cead487cbdbfd6a69fb097ea5e456c3 Mon Sep 17 00:00:00 2001
+From: "mengyuan.ymy" <mengyuan.ymy@alibaba-inc.com>
+Date: Fri, 7 Apr 2017 10:32:55 +0800
+Subject: [PATCH] fix bug in
+ https://github.com/juliangruber/brace-expansion/issues/33
+
+---
+ index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/index.js b/index.js
+index 955f27c..0478be8 100644
+--- a/index.js
++++ b/index.js
+@@ -106,7 +106,7 @@ function expand(str, isTop) {
+   var isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
+   var isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
+   var isSequence = isNumericSequence || isAlphaSequence;
+-  var isOptions = /^(.*,)+(.+)?$/.test(m.body);
++  var isOptions = m.body.indexOf(',') >= 0;
+   if (!isSequence && !isOptions) {
+     // {a},b}
+     if (m.post.match(/,.*\}/)) {
diff -Nru node-brace-expansion-1.1.6/debian/patches/series node-brace-expansion-1.1.6/debian/patches/series
--- node-brace-expansion-1.1.6/debian/patches/series	1970-01-01 05:30:00.000000000 +0530
+++ node-brace-expansion-1.1.6/debian/patches/series	2017-07-26 15:46:15.000000000 +0530
@@ -0,0 +1 @@
+fix-regex-DoS.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#869772: stretch-pu: package node-brace-expansion/1.1.6-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#869772: stretch-pu: package node-brace-expansion/1.1.6-1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#869762: NMU: libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc"
Next by Date: Bug#869762: NMU: libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc"
Previous by thread: Bug#869762: NMU: libundead_1.0.6-2 . ANY . -m "Rebuild against new ldc"
Next by thread: Bug#869772: stretch-pu: package node-brace-expansion/1.1.6-1
Index(es):
- Date
- Thread