[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988454: buster-pu: package ruby-websocket-extensions/0.1.2-1+deb10u1

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: Andreas Beckmann <anbe@debian.org>

Dear stable release managers,

Please consider ruby-websocket-extensions (0.1.2-1+deb10u1) for buster:
  
  ruby-websocket-extensions (0.1.2-1+deb10u1) buster; urgency=medium
  .
    * CVE-2020-7663: Prevent a denial of service attack that is exploitable
      by an exponential-time regular expression backtracking vulnerability.
      (Closes: #964274)

This fixes the lack of clean updates from stretch to buster. The full
debdiff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

diff --git a/debian/changelog b/debian/changelog
index d887af9..0cff651 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-websocket-extensions (0.1.2-1+deb10u1) buster; urgency=medium
+
+  * CVE-2020-7663: Prevent a denial of service attack that is exploitable
+    by an exponential-time regular expression backtracking vulnerability.
+    (Closes: #964274)
+
+ -- Chris Lamb <lamby@debian.org>  Thu, 13 May 2021 11:23:30 +0100
+
 ruby-websocket-extensions (0.1.2-1) unstable; urgency=medium
 
   * Initial release (Closes: #816883)
diff --git a/debian/patches/0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch b/debian/patches/0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch
new file mode 100644
index 0000000..9f7629b
--- /dev/null
+++ b/debian/patches/0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch
@@ -0,0 +1,23 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Thu, 13 May 2021 11:22:35 +0100
+Subject: CVE-2020-7663: Prevent a denial of service attack that is
+ exploitable by an exponential-time regular expression backtracking
+ vulnerability. (Closes: #964274)
+
+---
+ lib/websocket/extensions/parser.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/websocket/extensions/parser.rb b/lib/websocket/extensions/parser.rb
+index 06db917..38d1f19 100644
+--- a/lib/websocket/extensions/parser.rb
++++ b/lib/websocket/extensions/parser.rb
+@@ -6,7 +6,7 @@ module WebSocket
+     class Parser
+       TOKEN    = /([!#\$%&'\*\+\-\.\^_`\|~0-9a-z]+)/
+       NOTOKEN  = /([^!#\$%&'\*\+\-\.\^_`\|~0-9a-z])/
+-      QUOTED   = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/
++      QUOTED   = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/
+       PARAM    = %r{#{TOKEN.source}(?:=(?:#{TOKEN.source}|#{QUOTED.source}))?}
+       EXT      = %r{#{TOKEN.source}(?: *; *#{PARAM.source})*}
+       EXT_LIST = %r{^#{EXT.source}(?: *, *#{EXT.source})*$}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..13fb1a6
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001-CVE-2020-7663-Prevent-a-denial-of-service-attack-tha.patch
Reply to: