Bug#989106: unblock: node-ws/7.4.2+~cs18.0.8-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#989106: unblock: node-ws/7.4.2+~cs18.0.8-2
From: Yadd <yadd@debian.org>
Date: Wed, 26 May 2021 08:42:14 +0200
Message-id: <[🔎] 162201133413.666374.4301894283211114195.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 989106@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-ws

[ Reason ]
node-ws is vulnerable to a ReDoS: A specially crafted value of the
`Sec-Websocket-Protocol` header could be used to significantly slow
down a ws server.

[ Impact ]
Medium vulnerability

[ Tests ]
No change in test

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-ws/7.4.2+~cs18.0.8-2

diff --git a/debian/changelog b/debian/changelog
index 5c44772..f349028 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-ws (7.4.2+~cs18.0.8-2) unstable; urgency=medium
+
+  * Team upload
+  * Fix GitHub tags regex
+  * Fix ReDoS vulnerability (Closes: CVE-2021-32640)
+
+ -- Yadd <yadd@debian.org>  Wed, 26 May 2021 08:26:30 +0200
+
 node-ws (7.4.2+~cs18.0.8-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-32640.patch b/debian/patches/CVE-2021-32640.patch
new file mode 100644
index 0000000..648faae
--- /dev/null
+++ b/debian/patches/CVE-2021-32640.patch
@@ -0,0 +1,40 @@
+Description: Fix ReDoS vulnerability
+ A specially crafted value of the `Sec-Websocket-Protocol` header could
+ be used to significantly slow down a ws server.
+ .
+ PoC and fix were sent privately by Robert McLaughlin from University of
+ California, Santa Barbara.
+Author: Luigi Pinca <luigipinca@gmail.com>
+Origin: upstream, https://github.com/websockets/ws/commit/00c425e
+Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-05-26
+
+--- a/lib/websocket-server.js
++++ b/lib/websocket-server.js
+@@ -286,7 +286,7 @@
+     let protocol = req.headers['sec-websocket-protocol'];
+ 
+     if (protocol) {
+-      protocol = protocol.trim().split(/ *, */);
++      protocol = protocol.split(',').map(trim);
+ 
+       //
+       // Optionally call external protocol selection handler.
+@@ -404,3 +404,15 @@
+   socket.removeListener('error', socketOnError);
+   socket.destroy();
+ }
++
++/**
++ * Remove whitespace characters from both ends of a string.
++ *
++ * @param {String} str The string
++ * @return {String} A new string representing `str` stripped of whitespace
++ *     characters from both its beginning and end
++ * @private
++ */
++function trim(str) {
++  return str.trim();
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..c58b9aa
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-32640.patch
diff --git a/debian/watch b/debian/watch
index aa7ee90..8d06a3a 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,32 +1,32 @@
 version=4
 opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/ws-$1.tar.gz/,\
 dversionmangle=auto \
-https://github.com/websockets/ws/tags .*/archive/v?([\d\.]+).tar.gz group
+https://github.com/websockets/ws/tags .*/archive/.*/v?([\d\.]+).tar.gz group
 
 opts=\
 ctype=nodejs,\
 component=utf-8-validate,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-utf-8-validate-$1.tar.gz/ \
- https://github.com/websockets/utf-8-validate/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/websockets/utf-8-validate/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum
 
 opts=\
 ctype=nodejs,\
 component=bufferutil,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-bufferutil-$1.tar.gz/ \
- https://github.com/websockets/bufferutil/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/websockets/bufferutil/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum
 
 opts=\
 ctype=nodejs,\
 component=wscat,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-wscat-$1.tar.gz/ \
- https://github.com/websockets/wscat/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/websockets/wscat/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum
 
 opts=\
 ctype=nodejs,\
 component=https-proxy-agent,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-node-https-proxy-agent-$1.tar.gz/ \
- https://github.com/TooTallNate/node-https-proxy-agent/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/TooTallNate/node-https-proxy-agent/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum

Reply to:

Follow-Ups:
- Bug#989106: marked as done (unblock: node-ws/7.4.2+~cs18.0.8-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#988968: unblock: e17/0.24.2-6
Next by Date: Bug#989114: nmu: haskell-lambdabot-haskell-plugins_5.3-3
Previous by thread: Bug#989077: marked as done (unblock: ionit/0.3.8-1)
Next by thread: Bug#989106: marked as done (unblock: node-ws/7.4.2+~cs18.0.8-2)
Index(es):
- Date
- Thread