Bug#987546: marked as done (unblock: node-redis/3.0.2+~cs5.18.1-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 26 Apr 2021 05:49:53 +0000
with message-id <E1lau81-0003iY-Ax@respighi.debian.org>
and subject line unblock node-redis
has caused the Debian Bug report #987546,
regarding unblock: node-redis/3.0.2+~cs5.18.1-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987546: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987546
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: node-redis/3.0.2+~cs5.18.1-3
• From: Yadd <yadd@debian.org>
• Date: Sun, 25 Apr 2021 14:04:13 +0200
• Message-id: <[🔎] 161935225354.421046.12995425599565227268.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-redis

[ Reason ]
node-redis is vulnearable to a Regex Denial of Service

[ Impact ]
Medium security risk

[ Tests ]
No change in tests. Both build & autopkgtest passed

[ Risks ]
Change is trivial: just a regex fix. node-redis has no reverse
dependencies for now, so no risk for other packages

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Patch also includes:
 * uploaders list update: Leo is MIA
 * GitHub regex fix in debian/watch

unblock node-redis/3.0.2+~cs5.18.1-3

diff --git a/debian/changelog b/debian/changelog
index 4f546a6..f25dee1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,14 @@
+node-redis (3.0.2+~cs5.18.1-3) UNRELEASED; urgency=medium
+
+  * Fix GitHub tags regex
+  * Uploaders: remove Leo Iannacone, thanks for your work!
+  * Fix potential ReDoS (Closes: CVE-2021-29469)
+
+ -- Yadd <yadd@debian.org>  Sun, 25 Apr 2021 13:54:43 +0200
+
 node-redis (3.0.2+~cs5.18.1-2) unstable; urgency=medium
 
+  [ Xavier Guimard ]
   * Add node-lodash-packages in test dependencies
 
  -- Xavier Guimard <yadd@debian.org>  Mon, 21 Dec 2020 06:13:22 +0100
diff --git a/debian/control b/debian/control
index 8fecf53..de2c694 100644
--- a/debian/control
+++ b/debian/control
@@ -1,6 +1,6 @@
 Source: node-redis
 Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
-Uploaders: Leo Iannacone <l3on@ubuntu.com>, Xavier Guimard <yadd@debian.org>
+Uploaders: Yadd <yadd@debian.org>
 Section: javascript
 Priority: optional
 Build-Depends: debhelper-compat (= 13)
diff --git a/debian/copyright b/debian/copyright
index 24794c5..b0ec804 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -21,7 +21,7 @@ License: Expat
 
 Files: debian/*
 Copyright: 2014 Leo Iannacone <l3on@ubuntu.com>
- 2019-2020 Xavier Guimard <yadd@debian.org>
+ 2019-2020 Yadd <yadd@debian.org>
 License: GPL-3
 
 Files: debian/tests/test_modules/intercept-stdout/*
diff --git a/debian/patches/CVE-2021-29469.patch b/debian/patches/CVE-2021-29469.patch
new file mode 100644
index 0000000..d074802
--- /dev/null
+++ b/debian/patches/CVE-2021-29469.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Leibale Eidelman <leibale1998@gmail.com>
+Origin: upstream, https://github.com/NodeRedis/node-redis/commit/2d11b6dc
+Bug: https://github.com/NodeRedis/node-redis/issues/1569
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-25
+
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -127,7 +127,7 @@
+     reply_to_object: replyToObject,
+     print: print,
+     err_code: /^([A-Z]+)\s+(.+)$/,
+-    monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\]( ".+?")+$/,
++    monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\].*"$/,
+     clone: convenienceClone,
+     callback_or_emit: callbackOrEmit,
+     reply_in_order: replyInOrder
diff --git a/debian/patches/series b/debian/patches/series
index 73eead0..250556a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 avoid-failing-test.diff
 disable-tests-failing-with-redis-5.6.diff
 remove-cross-spawn.patch
+CVE-2021-29469.patch
diff --git a/debian/watch b/debian/watch
index ebfa712..34f812e 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,7 +1,7 @@
 version=4
 
 opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-redis-$1.tar.gz/ \
- https://github.com/NodeRedis/node_redis/tags .*/archive/v?\.?([\d\.]+).tar.gz group
+ https://github.com/NodeRedis/node_redis/tags .*/archive/.*/v?\.?([\d\.]+).tar.gz group
 
 opts="searchmode=plain,pgpmode=none,ctype=nodejs,component=redis-commands" \
  https://registry.npmjs.org/redis-commands https://registry.npmjs.org/redis-commands/-/redis-commands-(\d[\d\.]*)@ARCHIVE_EXT@ checksum

--- End Message ---

--- Begin Message ---

• To: 987546-done@bugs.debian.org
• Subject: unblock node-redis
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Mon, 26 Apr 2021 05:49:53 +0000
• Message-id: <E1lau81-0003iY-Ax@respighi.debian.org>

Unblocked.

--- End Message ---