Bug#1107701: marked as done (unblock: node-brace-expansion/2.0.1+~1.1.0-2)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#1107701: marked as done (unblock: node-brace-expansion/2.0.1+~1.1.0-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 12 Jun 2025 19:51:02 +0000
Message-id: <[🔎] handler.1107701.D1107701.17497578212534828.ackdone@bugs.debian.org>
Reply-to: 1107701@bugs.debian.org
References: <E1uPnwH-00G1Qm-21@respighi.debian.org> <[🔎] 174972262417.147027.1652981602586203880.reportbug@yadd-217.xnr.fr>

Your message dated Thu, 12 Jun 2025 19:50:17 +0000
with message-id <E1uPnwH-00G1Qm-21@respighi.debian.org>
and subject line unblock node-brace-expansion
has caused the Debian Bug report #1107701,
regarding unblock: node-brace-expansion/2.0.1+~1.1.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107701: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107701
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: node-brace-expansion/2.0.1+~1.1.0-2
From: Yadd <yadd@debian.org>
Date: Thu, 12 Jun 2025 12:03:44 +0200
Message-id: <[🔎] 174972262417.147027.1652981602586203880.reportbug@yadd-217.xnr.fr>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: node-brace-expansion@packages.debian.org, yadd@debian.org
Control: affects -1 + src:node-brace-expansion
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-brace-expansion

[ Reason ]
node-brace-expansion is vulnerable to a Regex DoS (#1107695,
CVE-2025-5889)

[ Impact ]
Medium security issue

[ Tests ]
Test added in this patch

[ Risks ]
Low risk, patch is trivial and test passed

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock node-brace-expansion/2.0.1+~1.1.0-2

diff --git a/debian/changelog b/debian/changelog
index 8469a60..48af48f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-brace-expansion (2.0.1+~1.1.0-2) unstable; urgency=medium
+
+  * Declare compliance with policy 4.7.2
+  * Fix potential ReDoS vulnerability or inefficient regular expression
+    (Closes: #1107695, CVE-2025-5889)
+
+ -- Yadd <yadd@debian.org>  Thu, 12 Jun 2025 11:55:12 +0200
+
 node-brace-expansion (2.0.1+~1.1.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 96d4fc6..da61939 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Build-Depends: debhelper-compat (= 13)
  , dh-sequence-nodejs
  , node-balanced-match <!nocheck>
  , node-tape <!nocheck>
-Standards-Version: 4.6.2
+Standards-Version: 4.7.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-brace-expansion
 Vcs-Git: https://salsa.debian.org/js-team/node-brace-expansion.git
 Homepage: https://github.com/juliangruber/brace-expansion
diff --git a/debian/patches/CVE-2025-5889.patch b/debian/patches/CVE-2025-5889.patch
new file mode 100644
index 0000000..9eaa54c
--- /dev/null
+++ b/debian/patches/CVE-2025-5889.patch
@@ -0,0 +1,36 @@
+Description: fix potential ReDoS vulnerability or inefficient regular expression in project
+Author: mmmsssttt404 <931121963@qq.com>
+Origin: upstream, https://patch-diff.githubusercontent.com/raw/juliangruber/brace-expansion/pull/65
+Bug: https://github.com/juliangruber/brace-expansion/issues/66
+Bug-Debian: https://bugs.debian.org/1107695
+Forwarded: not-needed
+Applied-Upstream: 2.0.2, https://github.com/juliangruber/brace-expansion/commit/36603d5f
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2025-06-12
+
+--- a/index.js
++++ b/index.js
+@@ -116,7 +116,7 @@
+     var isOptions = m.body.indexOf(',') >= 0;
+     if (!isSequence && !isOptions) {
+       // {a},b}
+-      if (m.post.match(/,.*\}/)) {
++      if (m.post.match(/,(?!,).*\}/)) {
+         str = m.pre + '{' + m.body + escClose + m.post;
+         return expand(str);
+       }
+--- /dev/null
++++ b/test/redos.js
+@@ -0,0 +1,12 @@
++import test from 'node:test'
++import assert from 'assert'
++import expand from '../index.js'
++
++test('redos', function () {
++let str = "{a}" + ",".repeat(100000) + "\u0000";
++    let startTime = performance.now();
++    expand(str)
++    let endTime = performance.now();
++    let timeTaken = endTime - startTime;
++    assert.ok(timeTaken < 10000, `Expected time (${timeTaken}ms) to be less than 10000ms`);
++})
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d36590c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2025-5889.patch

--- End Message ---

--- Begin Message ---

To: 1107701-done@bugs.debian.org

Subject: unblock node-brace-expansion

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Thu, 12 Jun 2025 19:50:17 +0000

Message-id: <E1uPnwH-00G1Qm-21@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#1107701: unblock: node-brace-expansion/2.0.1+~1.1.0-2
  - From: Yadd <yadd@debian.org>

Prev by Date: Processed: Re: Bug#1107654: unblock (pre-approval): totem/43.2-3
Next by Date: Bug#1107654: unblock (pre-approval): totem/43.2-3
Previous by thread: Processed: unblock: node-brace-expansion/2.0.1+~1.1.0-2
Next by thread: Bug#1107702: unblock: lmfit-py/1.3.3-4
Index(es):
- Date
- Thread