Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-glob-parent is vulnerable to Regex Denial of Service (ReDoS)
CVE-2020-28469
[ Impact ]
Low vulnerability risk
[ Tests ]
No test backported from 5.1.0 branch
[ Risks ]
Trivial patch
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a better regex check. Patch from upstream adapted to 3.1.0
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 74d0753..46486a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-glob-parent (3.1.0-1+deb10u1) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2020-28469)
+
+ -- Yadd <yadd@debian.org> Fri, 16 Apr 2021 13:46:41 +0200
+
node-glob-parent (3.1.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-28469.patch b/debian/patches/CVE-2020-28469.patch
new file mode 100644
index 0000000..663e173
--- /dev/null
+++ b/debian/patches/CVE-2020-28469.patch
@@ -0,0 +1,20 @@
+Description: fix ReDoS vulnerability
+ This change fixes a regular expression denial of service vulnerability.
+Author: Rich Trott <rtrott@gmail.com>
+Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168
+Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-16
+
+--- a/index.js
++++ b/index.js
+@@ -10,7 +10,7 @@
+ if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/');
+
+ // special case for strings ending in enclosure containing path separator
+- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/';
++ if (/[\{\[].*[\}\]]$/.test(str)) str += '/';
+
+ // preserves full path in case of trailing path separator
+ str += 'a';
diff --git a/debian/patches/series b/debian/patches/series
index 439519e..421e1b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
is-glob-4-compat.patch
+CVE-2020-28469.patch
Reply to: