Bug#869772: marked as done (stretch-pu: package node-brace-expansion/1.1.6-1)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #869772,
regarding stretch-pu: package node-brace-expansion/1.1.6-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
869772: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869772
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: stretch-pu: package node-brace-expansion/1.1.6-1
• From: Sruthi Chandran <srud@disroot.org>
• Date: Wed, 26 Jul 2017 16:06:02 +0530
• Message-id: <60bde8bb-6407-b773-ecc4-8adb4cabb269@disroot.org>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This fixes security bug #862712 - regular expression denial of service.
debdiff attached.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Init: systemd (via /run/systemd/system)

diff -Nru node-brace-expansion-1.1.6/debian/changelog node-brace-expansion-1.1.6/debian/changelog
--- node-brace-expansion-1.1.6/debian/changelog	2016-10-25 22:29:22.000000000 +0530
+++ node-brace-expansion-1.1.6/debian/changelog	2017-07-26 15:46:15.000000000 +0530
@@ -1,3 +1,9 @@
+node-brace-expansion (1.1.6-1+deb9u1) stretch; urgency=medium
+
+  * Fix regular expression denial of service issue (Closes: 862712)
+
+ -- Sruthi Chandran <srud@disroot.org>  Wed, 26 Jul 2017 15:46:15 +0530
+
 node-brace-expansion (1.1.6-1) unstable; urgency=low
 
   [ Bas Couwenberg ]
diff -Nru node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch
--- node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch	1970-01-01 05:30:00.000000000 +0530
+++ node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch	2017-07-26 15:46:15.000000000 +0530
@@ -0,0 +1,23 @@
+From b13381281cead487cbdbfd6a69fb097ea5e456c3 Mon Sep 17 00:00:00 2001
+From: "mengyuan.ymy" <mengyuan.ymy@alibaba-inc.com>
+Date: Fri, 7 Apr 2017 10:32:55 +0800
+Subject: [PATCH] fix bug in
+ https://github.com/juliangruber/brace-expansion/issues/33
+
+---
+ index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/index.js b/index.js
+index 955f27c..0478be8 100644
+--- a/index.js
++++ b/index.js
+@@ -106,7 +106,7 @@ function expand(str, isTop) {
+   var isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body);
+   var isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body);
+   var isSequence = isNumericSequence || isAlphaSequence;
+-  var isOptions = /^(.*,)+(.+)?$/.test(m.body);
++  var isOptions = m.body.indexOf(',') >= 0;
+   if (!isSequence && !isOptions) {
+     // {a},b}
+     if (m.post.match(/,.*\}/)) {
diff -Nru node-brace-expansion-1.1.6/debian/patches/series node-brace-expansion-1.1.6/debian/patches/series
--- node-brace-expansion-1.1.6/debian/patches/series	1970-01-01 05:30:00.000000000 +0530
+++ node-brace-expansion-1.1.6/debian/patches/series	2017-07-26 15:46:15.000000000 +0530
@@ -0,0 +1 @@
+fix-regex-DoS.patch

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: 863734-done@bugs.debian.org, 864027-done@bugs.debian.org, 864028-done@bugs.debian.org, 864911-done@bugs.debian.org, 865971-done@bugs.debian.org, 866045-done@bugs.debian.org, 866537-done@bugs.debian.org, 867814-done@bugs.debian.org, 868284-done@bugs.debian.org, 868517-done@bugs.debian.org, 868684-done@bugs.debian.org, 868756-done@bugs.debian.org, 868809-done@bugs.debian.org, 869414-done@bugs.debian.org, 869419-done@bugs.debian.org, 869434-done@bugs.debian.org, 869574-done@bugs.debian.org, 869577-done@bugs.debian.org, 869634-done@bugs.debian.org, 869661-done@bugs.debian.org, 869667-done@bugs.debian.org, 869676-done@bugs.debian.org, 869754-done@bugs.debian.org, 869772-done@bugs.debian.org, 869836-done@bugs.debian.org, 869920-done@bugs.debian.org, 869966-done@bugs.debian.org, 870005-done@bugs.debian.org, 870142-done@bugs.debian.org, 870181-done@bugs.debian.org, 870205-done@bugs.debian.org, 870465-done@bugs.debian.org, 870604-done@bugs.debian.org, 870609-done@bugs.debian.org, 870659-done@bugs.debian.org, 870911-done@bugs.debian.org, 871242-done@bugs.debian.org, 871440-done@bugs.debian.org, 871451-done@bugs.debian.org, 871466-done@bugs.debian.org, 871661-done@bugs.debian.org, 871720-done@bugs.debian.org, 871739-done@bugs.debian.org, 871943-done@bugs.debian.org, 872441-done@bugs.debian.org, 872774-done@bugs.debian.org, 872776-done@bugs.debian.org, 872818-done@bugs.debian.org, 872928-done@bugs.debian.org, 872953-done@bugs.debian.org, 872991-done@bugs.debian.org, 873054-done@bugs.debian.org, 873061-done@bugs.debian.org, 873309-done@bugs.debian.org, 873371-done@bugs.debian.org, 873479-done@bugs.debian.org, 873624-done@bugs.debian.org, 873771-done@bugs.debian.org, 874198-done@bugs.debian.org, 874350-done@bugs.debian.org, 874389-done@bugs.debian.org, 874477-done@bugs.debian.org, 874580-done@bugs.debian.org, 875695-done@bugs.debian.org, 875765-done@bugs.debian.org, 875777-done@bugs.debian.org, 876020-done@bugs.debian.org, 876092-done@bugs.debian.org, 876114-done@bugs.debian.org, 876116-done@bugs.debian.org, 876117-done@bugs.debian.org, 876139-done@bugs.debian.org, 876314-done@bugs.debian.org, 876629-done@bugs.debian.org, 876731-done@bugs.debian.org, 876909-done@bugs.debian.org, 876913-done@bugs.debian.org, 876949-done@bugs.debian.org, 877348-done@bugs.debian.org, 877415-done@bugs.debian.org, 875771-done@bugs.debian.org, 876633-done@bugs.debian.org
• Subject: Closing bugs for 9.2 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 07 Oct 2017 11:33:55 +0100
• Message-id: <1507372435.18586.64.camel@adam-barratt.org.uk>

Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam

--- End Message ---