Bug#989290: marked as done (unblock: node-got/11.8.1+~cs53.13.17-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 31 May 2021 18:48:05 +0000
with message-id <E1lnmxJ-00051f-SQ@respighi.debian.org>
and subject line unblock node-got
has caused the Debian Bug report #989290,
regarding unblock: node-got/11.8.1+~cs53.13.17-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
989290: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989290
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: node-got/11.8.1+~cs53.13.17-3
• From: Yadd <yadd@debian.org>
• Date: Mon, 31 May 2021 12:05:07 +0200
• Message-id: <[🔎] 162245550764.254018.4335432984405028802.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package node-got

[ Reason ]
node-normalize-url (embedded in node-got) is vulnerable to a Regex
Denial of Service (ReDoS) (#989258, CVE-2021-33502). This little patch
fixes it.

[ Impact ]
Medium security issue

[ Tests ]
Sadly test are not enabled for this package due to missing test
dependencies

[ Risks ]
No risk here, patch is trivial (just a regex improvement)

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-got/11.8.1+~cs53.13.17-3


-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmC0tMwQHHlhZGRAZGVi
aWFuLm9yZwAKCRD210ynyZnu6TKiD/4jlh7TN9AxaWxx2MJLho3t/w3eBaHL9zzP
091IzeAZndqYDzAsC0migMIeMpwS0laDg9WTafesq0kPWGPCPbFOtuiQo8CNAoP5
eakDTq0LZRjSDbziUe3QjT9YdSOeOBbopRkDx8fcpBu8Wutp6trsIgAUQ0xaGMYL
KJRzn/e90Ceqg+VUd9Pimp4EFnB+MfX5PPVUcJSJCFFgmHSQuvBPl9BV7qaIF05Y
n4H64Pa4bLh4+iSvvfbhvotnt7W091b86lTEuWzAv9XOijjeIRpkRPBUHRSXTSoc
BDhQ9kgE6y4PUip7iBpNTPRpZpSj0ow8kRcekoBYp9U9EO34dffk/czBj203FVWv
me61VJITKhLKuBhQ4GCHbXrmnMYcax+hZXiev9vvsF+v1W3pJgj0KFc51/cBkoCc
n+YuNq8+0ski1byjA3edk+VWsQz/q7ElNs3Y0ZvHH4nfA0UUXzastPlSw5qnoOyK
kkUFUdCF2w5i4HrJZ0bgKjA+c4eouAUkF8+z5ENQ2K6XJ1Iwqv8lwo162MfTPq1W
zNj6CWWBEgB+GLkEO7VBcpwrPMoJHkRejjZTRhUWBP47CnnzX6a+JOfLGYG/PytO
R6yLy/oWQtoPTsDDuqP0LH+korjw2DmFsH8DWxWbCdtmQzB1dEn7+htluK2h+Mbt
W5J0x1auFw==
=dUjO
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index c1ca5b3..9cda1ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium
+
+  * Team upload
+  * Fix ReDoS (Closes: #989258, CVE-2021-33502)
+
+ -- Yadd <yadd@debian.org>  Mon, 31 May 2021 11:57:23 +0200
+
 node-got (11.8.1+~cs53.13.17-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-33502.patch b/debian/patches/CVE-2021-33502.patch
new file mode 100644
index 0000000..1572953
--- /dev/null
+++ b/debian/patches/CVE-2021-33502.patch
@@ -0,0 +1,40 @@
+Description: Fix ReDoS for data URLs
+Author: Sindre Sorhus <sindresorhus@gmail.com>
+Origin: upstream, https://github.com/sindresorhus/normalize-url/commit/b1fdb51
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
+Bug-Debian: https://bugs.debian.org/989258
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-05-31
+
+--- a/normalize-url/index.js
++++ b/normalize-url/index.js
+@@ -9,7 +9,7 @@
+ };
+ 
+ const normalizeDataURL = (urlString, {stripHash}) => {
+-	const match = /^data:(?<type>.*?),(?<data>.*?)(?:#(?<hash>.*))?$/.exec(urlString);
++	const match = /^data:(?<type>[^,]*?),(?<data>[^#]*?)(?:#(?<hash>.*))?$/.exec(urlString);
+ 
+ 	if (!match) {
+ 		throw new Error(`Invalid URL: ${urlString}`);
+--- a/normalize-url/test.js
++++ b/normalize-url/test.js
+@@ -320,3 +320,17 @@
+ 		normalizeUrl('view-source:https://www.sindresorhus.com');
+ 	}, '`view-source:` is not supported as it is a non-standard protocol');
+ });
++
++test('does not have exponential performance for data URLs', t => {
++	for (let index = 0; index < 1000; index += 50) {
++		const url = 'data:' + Array.from({length: index}).fill(',#').join('') + '\ra';
++		const start = Date.now();
++
++		try {
++			normalizeUrl(url);
++		} catch {}
++
++		const difference = Date.now() - start;
++		t.true(difference < 100, `Execution time: ${difference}`);
++	}
++});
diff --git a/debian/patches/series b/debian/patches/series
index 225f561..2299ad7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 build-source-only.diff
 fix-package-json-paths.diff
+CVE-2021-33502.patch

--- End Message ---

--- Begin Message ---

• To: 989290-done@bugs.debian.org
• Subject: unblock node-got
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Mon, 31 May 2021 18:48:05 +0000
• Message-id: <E1lnmxJ-00051f-SQ@respighi.debian.org>

Unblocked.

--- End Message ---