Bug#987548: buster-pu: package node-redis/2.8.0-1+deb10u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#987548: buster-pu: package node-redis/2.8.0-1+deb10u1
From: Yadd <yadd@debian.org>
Date: Sun, 25 Apr 2021 14:13:47 +0200
Message-id: <[🔎] 161935282752.429824.13048167628564722001.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 987548@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
rode-redis is vulnerable ro ReDoS (CVE-2021-29469

[ Impact ]
Medium risk

[ Tests ]
No

[ Risks ]
No risk, node-redis has no reverse dependencies and patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Regex update

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index e865de4..5994010 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-redis (2.8.0-1+deb10u1) unstable; urgency=medium
+
+  * Fix potential ReDoS (Closes: CVE-2021-29469)
+
+ -- Yadd <yadd@debian.org>  Sun, 25 Apr 2021 14:09:33 +0200
+
 node-redis (2.8.0-1) unstable; urgency=medium
 
   * Add components in gbp.conf and debian/watch (used for test only):
diff --git a/debian/patches/CVE-2021-29469.patch b/debian/patches/CVE-2021-29469.patch
new file mode 100644
index 0000000..d074802
--- /dev/null
+++ b/debian/patches/CVE-2021-29469.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Leibale Eidelman <leibale1998@gmail.com>
+Origin: upstream, https://github.com/NodeRedis/node-redis/commit/2d11b6dc
+Bug: https://github.com/NodeRedis/node-redis/issues/1569
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-25
+
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -127,7 +127,7 @@
+     reply_to_object: replyToObject,
+     print: print,
+     err_code: /^([A-Z]+)\s+(.+)$/,
+-    monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\]( ".+?")+$/,
++    monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\].*"$/,
+     clone: convenienceClone,
+     callback_or_emit: callbackOrEmit,
+     reply_in_order: replyInOrder
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1d28461
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-29469.patch

Reply to:

Follow-Ups:
- Bug#987548: buster-pu: package node-redis/2.8.0-1+deb10u1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#987546: unblock: node-redis/3.0.2+~cs5.18.1-3
Next by Date: Bug#987549: unblock: maxima/5.44.0-3
Previous by thread: Bug#987546: marked as done (unblock: node-redis/3.0.2+~cs5.18.1-3)
Next by thread: Bug#987548: buster-pu: package node-redis/2.8.0-1+deb10u1
Index(es):
- Date
- Thread