Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance

To: Yadd <yadd@debian.org>, 1022122@bugs.debian.org, Paul Gevers <elbrus@debian.org>
Subject: Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sun, 04 Dec 2022 18:11:22 +0000
Message-id: <[🔎] dffe707d0fcb6b260bb41949e6b1bd74952aaa73.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1022122@bugs.debian.org
In-reply-to: <[🔎] b4b028f3-a6a7-fb5c-5c72-3296da1f0011@debian.org>
References: <E1oyuo6-00FSz1-H3@coccia.debian.org> <E1oyuo6-00FSz1-H3@coccia.debian.org> <0e02e118-abb4-1200-9acb-2f5d42726099@debian.org> <4b85a35d-d782-1e0d-e4da-20e38b08b4ca@debian.org> <166627934785.1539327.9894150501617564501.reportbug@debian007.xnr.fr> <2afc073b-31ae-71db-6578-d4150b4f021b@debian.org> <[🔎] ad5a9770c5992646ea25474c1d59391b7e3eafed.camel@adam-barratt.org.uk> <[🔎] b4b028f3-a6a7-fb5c-5c72-3296da1f0011@debian.org> <166627934785.1539327.9894150501617564501.reportbug@debian007.xnr.fr>

On Sun, 2022-12-04 at 19:07 +0100, Yadd wrote:
> On 04/12/2022 19:03, Adam D. Barratt wrote:
> > On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote:
> > > On 29/11/2022 10:56, Yadd wrote:
> > > > On 28/11/2022 22:11, Paul Gevers wrote:
> > > > > Hi Yadd,
> > > > > 
> > > > > On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt
> > > > > <adam@adam-barratt.org.uk> wrote:
> > > > > > The upload referenced by this bug report has been flagged
> > > > > > for
> > > > > > acceptance into the proposed-updates queue for Debian
> > > > > > bullseye.
> > > > > > 
> > > > > > Thanks for your contribution!
> > > > > > 
> > > > > > Upload details
> > > > > > ==============
> > > > > > 
> > > > > > Package: node-minimatch
> > > > > > Version: 3.0.4+~3.0.3-1+deb11u1
> > > > > > 
> > > > > > Explanation: improve protection against regular expression-
> > > > > > based
> > > > > > denial of service [CVE-2022-3517]
> > > > > 
> > > > > The upload breaks [1] the autopkgtest of node-glob. Can you
> > > > > have
> > > > > a look?
> > > > > 
> > [...]
> > > > the problem is in this part of minimatch.js patch:
> > > > 
> > > > @@ -280,7 +306,7 @@
> > > >      if (pattern === '') return ''
> > > > 
> > > >      var re = ''
> > > > -  var hasMagic = !!options.nocase
> > > > +  var hasMagic = false
> > > >      var escaping = false
> > > >      // ? => one single character
> > > >      var patternListStack = []
> > > > 
> > > > We should apply this patch:
> > > > https://github.com/isaacs/minimatch/commit/e4cd4346
> > > > 
> > > > I'm going to prepare a new upload
> > > 
> > > Here is a new debdiff:
> > >    * this cleans CVE-2022-3517 patch (package*.json changes not
> > > needed)
> > >    * this includes regressions fixes from 3.0.6 and 3.0.7
> > > 
> > 
> > If the huge package*.json changes aren't needed, then why are they
> > included? Your stable -> deb11u2 diff contains a *lot* of noise
> > with
> > the changes to package-lock.json.
> > 
> > Other than that, the patch does look like it's just the (still
> > quite
> > large) changes from upstream relating to the CVE, so please go
> > ahead.
> > 
> > Regards,
> 
> Hi,
> 
> no that's the reverse, I cleaned deb11u1 patch in deb11u2, see 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42 
> (cumulative debdiff)
> 

Right, apparently I was confused by the (not entirely clear, at least
to me) filenames.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
  - From: Yadd <yadd@debian.org>

References:
- Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
  - From: Yadd <yadd@debian.org>

Prev by Date: Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
Next by Date: Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
Previous by thread: Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
Next by thread: Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
Index(es):
- Date
- Thread