Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1

To: 989129@bugs.debian.org
Subject: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
From: Yadd <yadd@debian.org>
Date: Wed, 26 May 2021 12:45:37 +0200
Message-id: <[🔎] 33462c8d-e239-a97c-e87a-9380e0f72335@debian.org>
Reply-to: Yadd <yadd@debian.org>, 989129@bugs.debian.org
In-reply-to: <[🔎] 162202569004.673592.16481724678347486126.reportbug@deb007.xnr.fr>
References: <[🔎] 162202569004.673592.16481724678347486126.reportbug@deb007.xnr.fr> <[🔎] 162202569004.673592.16481724678347486126.reportbug@deb007.xnr.fr>

Here is the missing debdiff

diff --git a/debian/changelog b/debian/changelog
index d8d3387..20f5a00 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ws (1.1.0+ds1.e6ddaae4-5+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix ReDoS vulnerability (Closes: CVE-2021-32640)
+
+ -- Yadd <yadd@debian.org>  Wed, 26 May 2021 12:33:11 +0200
+
 node-ws (1.1.0+ds1.e6ddaae4-5) unstable; urgency=medium
 
   * Add upstream/metadata
diff --git a/debian/patches/CVE-2021-32640.patch b/debian/patches/CVE-2021-32640.patch
new file mode 100644
index 0000000..fd4c9dc
--- /dev/null
+++ b/debian/patches/CVE-2021-32640.patch
@@ -0,0 +1,49 @@
+Description: Fix ReDoS vulnerability
+ A specially crafted value of the `Sec-Websocket-Protocol` header could
+ be used to significantly slow down a ws server.
+ .
+ PoC and fix were sent privately by Robert McLaughlin from University of
+ California, Santa Barbara.
+Author: Luigi Pinca <luigipinca@gmail.com>
+Origin: upstream, https://github.com/websockets/ws/commit/00c425e
+Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-05-26
+
+--- a/lib/WebSocketServer.js
++++ b/lib/WebSocketServer.js
+@@ -289,7 +289,7 @@
+   var completeHybiUpgrade1 = function() {
+     // choose from the sub-protocols
+     if (typeof self.options.handleProtocols == 'function') {
+-        var protList = (protocols || "").split(/, */);
++        var protList = (protocols || "").split(',').map(trim);
+         var callbackCalled = false;
+         var res = self.options.handleProtocols(protList, function(result, protocol) {
+           callbackCalled = true;
+@@ -303,7 +303,7 @@
+         return;
+     } else {
+         if (typeof protocols !== 'undefined') {
+-            completeHybiUpgrade2(protocols.split(/, */)[0]);
++            completeHybiUpgrade2(protocols.split(',').map(trim)[0]);
+         }
+         else {
+             completeHybiUpgrade2();
+@@ -552,3 +552,15 @@
+     try { socket.destroy(); } catch (e) {}
+   }
+ }
++
++/**
++ * Remove whitespace characters from both ends of a string.
++ *
++ * @param {String} str The string
++ * @return {String} A new string representing `str` stripped of whitespace
++ *     characters from both its beginning and end
++ * @private
++ */
++function trim(str) {
++  return str.trim();
++}
diff --git a/debian/patches/series b/debian/patches/series
index 0556eb7..e5cc10a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ disable-debian-failing-tests
 fix-failing-tests
 increase-test-timeout
 node-ads-120.diff
+CVE-2021-32640.patch

Reply to:

Follow-Ups:
- Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
  - From: Yadd <yadd@debian.org>

Prev by Date: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Next by Date: Bug#989131: unblock: gosa/2.7.4+reloaded3-16
Previous by thread: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Next by thread: Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Index(es):
- Date
- Thread