Bug#987047: unblock: node-glob-parent/5.1.1+~5.1.0-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#987047: unblock: node-glob-parent/5.1.1+~5.1.0-2
From: Yadd <yadd@debian.org>
Date: Fri, 16 Apr 2021 13:40:27 +0200
Message-id: <[🔎] 161857322761.3507101.3283414312900646223.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 987047@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-glob-parent

[ Reason ]
node-glob-parent is vulnerable to Regex Denial of Service (ReDoS),
CVE-2020-28469

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed (build & autopkgtest), including new upstream check related
to this vulnerability

[ Risks ]
Low risk: upstream patch applied without any change

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Patch is trivial, just a regex update

Cheers,
Yadd

unblock node-glob-parent/5.1.1+~5.1.0-2

diff --git a/debian/changelog b/debian/changelog
index 3e6f1d0..e60f126 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-glob-parent (5.1.1+~5.1.0-2) unstable; urgency=medium
+
+  * Team upload
+  * Fix ReDoS (Closes: CVE-2020-28469)
+
+ -- Yadd <yadd@debian.org>  Fri, 16 Apr 2021 13:34:51 +0200
+
 node-glob-parent (5.1.1+~5.1.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2020-28469.patch b/debian/patches/CVE-2020-28469.patch
new file mode 100644
index 0000000..99478a6
--- /dev/null
+++ b/debian/patches/CVE-2020-28469.patch
@@ -0,0 +1,36 @@
+Description: fix ReDoS vulnerability
+ This change fixes a regular expression denial of service vulnerability.
+Author: Rich Trott <rtrott@gmail.com>
+Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168
+Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-16
+
+--- a/index.js
++++ b/index.js
+@@ -6,7 +6,7 @@
+ 
+ var slash = '/';
+ var backslash = /\\/g;
+-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
++var enclosure = /[\{\[].*[\}\]]$/;
+ var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
+ var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
+ 
+--- a/test/index.test.js
++++ b/test/index.test.js
+@@ -209,6 +209,13 @@
+ 
+     done();
+   });
++
++  it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) {
++    // This will time out if susceptible.
++    gp('{' + '/'.repeat(5000));
++
++    done();
++  });
+ });
+ 
+ if (isWin32) {
diff --git a/debian/patches/series b/debian/patches/series
index 439519e..421e1b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 is-glob-4-compat.patch
+CVE-2020-28469.patch

Reply to:

Follow-Ups:
- Bug#987047: marked as done (unblock: node-glob-parent/5.1.1+~5.1.0-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#987043: nmu: 4 packages where adequate reports symbol-size-mismatch
Next by Date: Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1
Previous by thread: Bug#987043: marked as done (nmu: 4 packages where adequate reports symbol-size-mismatch)
Next by thread: Bug#987047: marked as done (unblock: node-glob-parent/5.1.1+~5.1.0-2)
Index(es):
- Date
- Thread