Bug#1025414: bullseye-pu: package node-hawk/8.0.1+dfsg-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-hawk used a regular expression to parse `Host` HTTP header
(`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack
(CVE-2022-29167).
[ Impact ]
Medium security issue
[ Tests ]
Sadly test were not launched in Bullseye
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Replace custom url parsing by `url` functions.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 7a55fa8..a913487 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-hawk (8.0.1+dfsg-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Parse URLs using stdlib (Closes: CVE-2022-29167)
+
+ -- Yadd <yadd@debian.org> Sun, 04 Dec 2022 11:39:16 +0100
+
node-hawk (8.0.1+dfsg-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-29167.patch b/debian/patches/CVE-2022-29167.patch
new file mode 100644
index 0000000..2c41b08
--- /dev/null
+++ b/debian/patches/CVE-2022-29167.patch
@@ -0,0 +1,57 @@
+Description: Parse URLs using stdlib
+Author: Yaraslau Kurmyza <yarik@mozilla.com>
+Origin: upstream, https://github.com/mozilla/hawk/commit/ade13411
+Bug: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
+Forwarded: not-needed
+Applied-Upstream: 9.0.1, ade13411
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-12-04
+
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -2,6 +2,7 @@
+
+ const Boom = require('@hapi/boom');
+ const Sntp = require('@hapi/sntp');
++const Url = require('url');
+
+
+ const internals = {};
+@@ -18,17 +19,19 @@
+ };
+
+
+-// Extract host and port from request
+-
+-// $1 $2
+-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/; // (IPv4, hostname)|(IPv6)
+-
+-
+ exports.parseHost = function (req, hostHeaderName) {
+
+ hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
+ const hostHeader = req.headers[hostHeaderName];
+- if (!hostHeader) {
++ if (hostHeader.indexOf('/') !== -1) {
++ return null;
++ }
++
++ let uri;
++ try {
++ uri = new Url.URL('http://' + hostHeader);
++ }
++ catch (err) {
+ return null;
+ }
+
+@@ -42,8 +45,8 @@
+ }
+
+ return {
+- name: hostParts[1],
+- port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80))
++ name: uri.hostname,
++ port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80))
+ };
+ };
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..43fa212
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-29167.patch
Reply to: