Bug#1014900: bullseye-pu: package node-moment/2.29.1+ds-2+deb11u2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-moment is vulnerable to ReDoS (#1014845, CVE-2022-31129)
[ Impact ]
Medium security issue
[ Tests ]
Sadly there is no test in this package.
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regexp improvement
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index d0566a3b..829c6ec2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-moment (2.29.1+ds-2+deb11u2) bullseye; urgency=medium
+
+ * Fix ReDoS (Closes: #1014845, CVE-2022-31129)
+
+ -- Yadd <yadd@debian.org> Wed, 13 Jul 2022 21:12:52 +0200
+
node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium
* Avoid loading path-looking locales from fs (Closes: #1009327,
diff --git a/debian/patches/CVE-2022-31129.patch b/debian/patches/CVE-2022-31129.patch
new file mode 100644
index 00000000..e10777fa
--- /dev/null
+++ b/debian/patches/CVE-2022-31129.patch
@@ -0,0 +1,42 @@
+Description: Fix ReDoS
+Author: Khang Vo (doublevkay)
+Origin: upstream, https://github.com/moment/moment/commit/9a3b5894
+Bug: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
+Bug-Debian: https://bugs.debian.org/1014845
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-07-13
+
+--- a/dist/moment.js
++++ b/dist/moment.js
+@@ -2434,7 +2434,7 @@
+ function preprocessRFC2822(s) {
+ // Remove comments and folding whitespace and replace multiple-spaces with a single space
+ return s
+- .replace(/\([^)]*\)|[\n\t]/g, ' ')
++ .replace(/\([^()]*\)|[\n\t]/g, ' ')
+ .replace(/(\s\s+)/g, ' ')
+ .replace(/^\s\s*/, '')
+ .replace(/\s\s*$/, '');
+--- a/moment.js
++++ b/moment.js
+@@ -2440,7 +2440,7 @@
+ function preprocessRFC2822(s) {
+ // Remove comments and folding whitespace and replace multiple-spaces with a single space
+ return s
+- .replace(/\([^)]*\)|[\n\t]/g, ' ')
++ .replace(/\([^()]*\)|[\n\t]/g, ' ')
+ .replace(/(\s\s+)/g, ' ')
+ .replace(/^\s\s*/, '')
+ .replace(/\s\s*$/, '');
+--- a/src/lib/create/from-string.js
++++ b/src/lib/create/from-string.js
+@@ -147,7 +147,7 @@
+ function preprocessRFC2822(s) {
+ // Remove comments and folding whitespace and replace multiple-spaces with a single space
+ return s
+- .replace(/\([^)]*\)|[\n\t]/g, ' ')
++ .replace(/\([^()]*\)|[\n\t]/g, ' ')
+ .replace(/(\s\s+)/g, ' ')
+ .replace(/^\s\s*/, '')
+ .replace(/\s\s*$/, '');
diff --git a/debian/patches/series b/debian/patches/series
index b59ca1ed..48b9eff0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2022-24785.patch
+CVE-2022-31129.patch
Reply to: