On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote:
On 29/11/2022 10:56, Yadd wrote:
On 28/11/2022 22:11, Paul Gevers wrote:
Hi Yadd,
On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt
<adam@adam-barratt.org.uk> wrote:
The upload referenced by this bug report has been flagged for
acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: node-minimatch
Version: 3.0.4+~3.0.3-1+deb11u1
Explanation: improve protection against regular expression-
based
denial of service [CVE-2022-3517]
The upload breaks [1] the autopkgtest of node-glob. Can you have
a look?
[...]
the problem is in this part of minimatch.js patch:
@@ -280,7 +306,7 @@
if (pattern === '') return ''
var re = ''
- var hasMagic = !!options.nocase
+ var hasMagic = false
var escaping = false
// ? => one single character
var patternListStack = []
We should apply this patch:
https://github.com/isaacs/minimatch/commit/e4cd4346
I'm going to prepare a new upload
Here is a new debdiff:
* this cleans CVE-2022-3517 patch (package*.json changes not
needed)
* this includes regressions fixes from 3.0.6 and 3.0.7
If the huge package*.json changes aren't needed, then why are they
included? Your stable -> deb11u2 diff contains a *lot* of noise with
the changes to package-lock.json.
Other than that, the patch does look like it's just the (still quite
large) changes from upstream relating to the CVE, so please go ahead.
Regards,