Bug#987047: unblock: node-glob-parent/5.1.1+~5.1.0-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-glob-parent
[ Reason ]
node-glob-parent is vulnerable to Regex Denial of Service (ReDoS),
CVE-2020-28469
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed (build & autopkgtest), including new upstream check related
to this vulnerability
[ Risks ]
Low risk: upstream patch applied without any change
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
Patch is trivial, just a regex update
Cheers,
Yadd
unblock node-glob-parent/5.1.1+~5.1.0-2
diff --git a/debian/changelog b/debian/changelog
index 3e6f1d0..e60f126 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-glob-parent (5.1.1+~5.1.0-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2020-28469)
+
+ -- Yadd <yadd@debian.org> Fri, 16 Apr 2021 13:34:51 +0200
+
node-glob-parent (5.1.1+~5.1.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-28469.patch b/debian/patches/CVE-2020-28469.patch
new file mode 100644
index 0000000..99478a6
--- /dev/null
+++ b/debian/patches/CVE-2020-28469.patch
@@ -0,0 +1,36 @@
+Description: fix ReDoS vulnerability
+ This change fixes a regular expression denial of service vulnerability.
+Author: Rich Trott <rtrott@gmail.com>
+Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168
+Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-16
+
+--- a/index.js
++++ b/index.js
+@@ -6,7 +6,7 @@
+
+ var slash = '/';
+ var backslash = /\\/g;
+-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
++var enclosure = /[\{\[].*[\}\]]$/;
+ var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
+ var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
+
+--- a/test/index.test.js
++++ b/test/index.test.js
+@@ -209,6 +209,13 @@
+
+ done();
+ });
++
++ it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905', function(done) {
++ // This will time out if susceptible.
++ gp('{' + '/'.repeat(5000));
++
++ done();
++ });
+ });
+
+ if (isWin32) {
diff --git a/debian/patches/series b/debian/patches/series
index 439519e..421e1b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
is-glob-4-compat.patch
+CVE-2020-28469.patch
Reply to: