[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989106: marked as done (unblock: node-ws/7.4.2+~cs18.0.8-2)

Your message dated Wed, 26 May 2021 21:40:13 +0000
with message-id <E1lm1G9-0007tt-SY@respighi.debian.org>
and subject line unblock node-ws
has caused the Debian Bug report #989106,
regarding unblock: node-ws/7.4.2+~cs18.0.8-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989106: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989106
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-ws

[ Reason ]
node-ws is vulnerable to a ReDoS: A specially crafted value of the
`Sec-Websocket-Protocol` header could be used to significantly slow
down a ws server.

[ Impact ]
Medium vulnerability

[ Tests ]
No change in test

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-ws/7.4.2+~cs18.0.8-2

diff --git a/debian/changelog b/debian/changelog
index 5c44772..f349028 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-ws (7.4.2+~cs18.0.8-2) unstable; urgency=medium
+
+  * Team upload
+  * Fix GitHub tags regex
+  * Fix ReDoS vulnerability (Closes: CVE-2021-32640)
+
+ -- Yadd <yadd@debian.org>  Wed, 26 May 2021 08:26:30 +0200
+
 node-ws (7.4.2+~cs18.0.8-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-32640.patch b/debian/patches/CVE-2021-32640.patch
new file mode 100644
index 0000000..648faae
--- /dev/null
+++ b/debian/patches/CVE-2021-32640.patch
@@ -0,0 +1,40 @@
+Description: Fix ReDoS vulnerability
+ A specially crafted value of the `Sec-Websocket-Protocol` header could
+ be used to significantly slow down a ws server.
+ .
+ PoC and fix were sent privately by Robert McLaughlin from University of
+ California, Santa Barbara.
+Author: Luigi Pinca <luigipinca@gmail.com>
+Origin: upstream, https://github.com/websockets/ws/commit/00c425e
+Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-05-26
+
+--- a/lib/websocket-server.js
++++ b/lib/websocket-server.js
+@@ -286,7 +286,7 @@
+     let protocol = req.headers['sec-websocket-protocol'];
+ 
+     if (protocol) {
+-      protocol = protocol.trim().split(/ *, */);
++      protocol = protocol.split(',').map(trim);
+ 
+       //
+       // Optionally call external protocol selection handler.
+@@ -404,3 +404,15 @@
+   socket.removeListener('error', socketOnError);
+   socket.destroy();
+ }
++
++/**
++ * Remove whitespace characters from both ends of a string.
++ *
++ * @param {String} str The string
++ * @return {String} A new string representing `str` stripped of whitespace
++ *     characters from both its beginning and end
++ * @private
++ */
++function trim(str) {
++  return str.trim();
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..c58b9aa
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-32640.patch
diff --git a/debian/watch b/debian/watch
index aa7ee90..8d06a3a 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,32 +1,32 @@
 version=4
 opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/ws-$1.tar.gz/,\
 dversionmangle=auto \
-https://github.com/websockets/ws/tags .*/archive/v?([\d\.]+).tar.gz group
+https://github.com/websockets/ws/tags .*/archive/.*/v?([\d\.]+).tar.gz group
 
 opts=\
 ctype=nodejs,\
 component=utf-8-validate,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-utf-8-validate-$1.tar.gz/ \
- https://github.com/websockets/utf-8-validate/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/websockets/utf-8-validate/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum
 
 opts=\
 ctype=nodejs,\
 component=bufferutil,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-bufferutil-$1.tar.gz/ \
- https://github.com/websockets/bufferutil/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/websockets/bufferutil/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum
 
 opts=\
 ctype=nodejs,\
 component=wscat,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-wscat-$1.tar.gz/ \
- https://github.com/websockets/wscat/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/websockets/wscat/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum
 
 opts=\
 ctype=nodejs,\
 component=https-proxy-agent,\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-node-https-proxy-agent-$1.tar.gz/ \
- https://github.com/TooTallNate/node-https-proxy-agent/tags .*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/TooTallNate/node-https-proxy-agent/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: