Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1
From: Yadd <yadd@debian.org>
Date: Fri, 16 Apr 2021 13:50:42 +0200
Message-id: <[🔎] 161857384274.3511610.8671561208936188981.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 987048@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-glob-parent is vulnerable to Regex Denial of Service (ReDoS)
CVE-2020-28469

[ Impact ]
Low vulnerability risk

[ Tests ]
No test backported from 5.1.0 branch

[ Risks ]
Trivial patch

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just a better regex check. Patch from upstream adapted to 3.1.0

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 74d0753..46486a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-glob-parent (3.1.0-1+deb10u1) unstable; urgency=medium
+
+  * Team upload
+  * Fix ReDoS (Closes: CVE-2020-28469)
+
+ -- Yadd <yadd@debian.org>  Fri, 16 Apr 2021 13:46:41 +0200
+
 node-glob-parent (3.1.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2020-28469.patch b/debian/patches/CVE-2020-28469.patch
new file mode 100644
index 0000000..663e173
--- /dev/null
+++ b/debian/patches/CVE-2020-28469.patch
@@ -0,0 +1,20 @@
+Description: fix ReDoS vulnerability
+ This change fixes a regular expression denial of service vulnerability.
+Author: Rich Trott <rtrott@gmail.com>
+Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168
+Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-16
+
+--- a/index.js
++++ b/index.js
+@@ -10,7 +10,7 @@
+ 	if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/');
+ 
+ 	// special case for strings ending in enclosure containing path separator
+-	if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/';
++	if (/[\{\[].*[\}\]]$/.test(str)) str += '/';
+ 
+ 	// preserves full path in case of trailing path separator
+ 	str += 'a';
diff --git a/debian/patches/series b/debian/patches/series
index 439519e..421e1b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 is-glob-4-compat.patch
+CVE-2020-28469.patch

Reply to:

Follow-Ups:
- Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#987048: node-glob-parent 3.1.0-1+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#987047: unblock: node-glob-parent/5.1.1+~5.1.0-2
Next by Date: Bug#987041: marked as done (unblock: node-handlebars/4.7.6+~4.1.0-2)
Previous by thread: Bug#987047: marked as done (unblock: node-glob-parent/5.1.1+~5.1.0-2)
Next by thread: Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1
Index(es):
- Date
- Thread