--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-axios/0.17.1+dfsg-2+deb10u1
- From: Yadd <yadd@debian.org>
- Date: Sat, 18 Sep 2021 07:36:21 +0200
- Message-id: <163194338154.502270.8163437243779933972.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Another regex denial of service
[ Impact ]
Medium vulnerability
[ Tests ]
test passed
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Use trim() instead of a regex
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 88ae229..d73d015 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-axios (0.17.1+dfsg-2+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix reDoS (Closes: CVE-2021-3749)
+
+ -- Yadd <yadd@debian.org> Sat, 18 Sep 2021 07:31:53 +0200
+
node-axios (0.17.1+dfsg-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-3749.patch b/debian/patches/CVE-2021-3749.patch
new file mode 100644
index 0000000..802174f
--- /dev/null
+++ b/debian/patches/CVE-2021-3749.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: ready-research <72916209+ready-research@users.noreply.github.com>
+Origin: upstream, https://github.com/axios/axios/commit/eef56014
+Bug: https://github.com/axios/axios/pull/3980
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-09-18
+
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -162,7 +162,7 @@
+ * @returns {String} The String freed of excess whitespace
+ */
+ function trim(str) {
+- return str.replace(/^\s*/, '').replace(/\s*$/, '');
++ return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, '');
+ }
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
index 877fd7a..1f39c51 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
skip-unneeded-modules.patch
use-webpack3.patch
CVE-2019-10742.diff
+CVE-2021-3749.patch
diff --git a/debian/patches/skip-unneeded-modules.patch b/debian/patches/skip-unneeded-modules.patch
index 9c63950..6f69f30 100644
--- a/debian/patches/skip-unneeded-modules.patch
+++ b/debian/patches/skip-unneeded-modules.patch
@@ -2,7 +2,7 @@ These are optional modules
--- a/package.json
+++ b/package.json
-@@ -38,10 +38,6 @@
+@@ -39,10 +39,6 @@
"grunt-cli": "^1.2.0",
"grunt-contrib-clean": "^1.0.0",
"grunt-contrib-nodeunit": "^1.0.0",
diff --git a/debian/patches/use-webpack3.patch b/debian/patches/use-webpack3.patch
index 43e264b..8f140f7 100644
--- a/debian/patches/use-webpack3.patch
+++ b/debian/patches/use-webpack3.patch
@@ -10,7 +10,7 @@ Subject: [PATCH] Updating webpack to v3.x
--- a/package.json
+++ b/package.json
-@@ -38,7 +38,7 @@
+@@ -39,7 +39,7 @@
"grunt-cli": "^1.2.0",
"grunt-contrib-clean": "^1.0.0",
"grunt-contrib-nodeunit": "^1.0.0",
@@ -19,7 +19,7 @@ Subject: [PATCH] Updating webpack to v3.x
"istanbul-instrumenter-loader": "^1.0.0",
"jasmine-core": "^2.4.1",
"karma": "^1.3.0",
-@@ -58,10 +58,10 @@
+@@ -59,10 +59,10 @@
"minimist": "^1.2.0",
"phantomjs-prebuilt": "^2.1.7",
"sinon": "^1.17.4",
--- End Message ---