Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote:
> On 29/11/2022 10:56, Yadd wrote:
> > On 28/11/2022 22:11, Paul Gevers wrote:
> > > Hi Yadd,
> > >
> > > On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt
> > > <adam@adam-barratt.org.uk> wrote:
> > > > The upload referenced by this bug report has been flagged for
> > > > acceptance into the proposed-updates queue for Debian bullseye.
> > > >
> > > > Thanks for your contribution!
> > > >
> > > > Upload details
> > > > ==============
> > > >
> > > > Package: node-minimatch
> > > > Version: 3.0.4+~3.0.3-1+deb11u1
> > > >
> > > > Explanation: improve protection against regular expression-
> > > > based
> > > > denial of service [CVE-2022-3517]
> > >
> > > The upload breaks [1] the autopkgtest of node-glob. Can you have
> > > a look?
> > >
[...]
> > the problem is in this part of minimatch.js patch:
> >
> > @@ -280,7 +306,7 @@
> > if (pattern === '') return ''
> >
> > var re = ''
> > - var hasMagic = !!options.nocase
> > + var hasMagic = false
> > var escaping = false
> > // ? => one single character
> > var patternListStack = []
> >
> > We should apply this patch:
> > https://github.com/isaacs/minimatch/commit/e4cd4346
> >
> > I'm going to prepare a new upload
>
> Here is a new debdiff:
> * this cleans CVE-2022-3517 patch (package*.json changes not
> needed)
> * this includes regressions fixes from 3.0.6 and 3.0.7
>
If the huge package*.json changes aren't needed, then why are they
included? Your stable -> deb11u2 diff contains a *lot* of noise with
the changes to package-lock.json.
Other than that, the patch does look like it's just the (still quite
large) changes from upstream relating to the CVE, so please go ahead.
Regards,
Adam
Reply to: