[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1025414: bullseye-pu: package node-hawk/8.0.1+dfsg-2+deb11u1

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-hawk used a regular expression to parse `Host` HTTP header
(`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack
(CVE-2022-29167).

[ Impact ]
Medium security issue

[ Tests ]
Sadly test were not launched in Bullseye

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Replace custom url parsing by `url` functions.

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 7a55fa8..a913487 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-hawk (8.0.1+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Parse URLs using stdlib (Closes: CVE-2022-29167)
+
+ -- Yadd <yadd@debian.org>  Sun, 04 Dec 2022 11:39:16 +0100
+
 node-hawk (8.0.1+dfsg-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-29167.patch b/debian/patches/CVE-2022-29167.patch
new file mode 100644
index 0000000..2c41b08
--- /dev/null
+++ b/debian/patches/CVE-2022-29167.patch
@@ -0,0 +1,57 @@
+Description: Parse URLs using stdlib
+Author: Yaraslau Kurmyza <yarik@mozilla.com>
+Origin: upstream, https://github.com/mozilla/hawk/commit/ade13411
+Bug: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
+Forwarded: not-needed
+Applied-Upstream: 9.0.1, ade13411
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-12-04
+
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -2,6 +2,7 @@
+ 
+ const Boom = require('@hapi/boom');
+ const Sntp = require('@hapi/sntp');
++const Url = require('url');
+ 
+ 
+ const internals = {};
+@@ -18,17 +19,19 @@
+ };
+ 
+ 
+-// Extract host and port from request
+-
+-//                                            $1                            $2
+-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/;              // (IPv4, hostname)|(IPv6)
+-
+-
+ exports.parseHost = function (req, hostHeaderName) {
+ 
+     hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host');
+     const hostHeader = req.headers[hostHeaderName];
+-    if (!hostHeader) {
++    if (hostHeader.indexOf('/') !== -1) {
++        return null;
++    }
++
++    let uri;
++    try {
++        uri = new Url.URL('http://' + hostHeader);
++    }
++    catch (err) {
+         return null;
+     }
+ 
+@@ -42,8 +45,8 @@
+     }
+ 
+     return {
+-        name: hostParts[1],
+-        port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80))
++        name: uri.hostname,
++        port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80))
+     };
+ };
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..43fa212
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-29167.patch
Reply to: