[Pkg-javascript-devel] Bug#927716: Bug#927716: CVE-2018-1109
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 26 20:01:10 BST 2019
Control: notfound 927716 2.0.2-2
Hi Xavier,
On Fri, Apr 26, 2019 at 07:52:55PM +0200, Xavier wrote:
> Le 26/04/2019 à 19:40, Xavier a écrit :
> > [...]
> > Hello,
> >
> > The regex that causes CVE-2018-1109 was introduced in upstream version
> > 2.2.0, commit dcc1acab [1]. So Buster node-braces seems not concerned by
> > this CVE.
> >
> > https://snyk.io/vuln/npm:braces:20180219 extract :
> >
> >> braces is a Bash-like brace expansion, implemented in JavaScript.
> >>
> >> Affected versions of this package are vulnerable to Regular Expression
> >> Denial of Service (ReDoS) attacks. It used a regular expression
> >> (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty
> >> braces. This can cause an impact of about 10 seconds matching time for
> >> data 50K characters long.
> >
> > [...]
> >
> > No regexp in 2.0.2 contains such expression.
> >
> > Time to close this issue ?
> >
> > Cheers,
> > Xavier
> >
> > [1]:
> > https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113
> > [2]:
> > https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
>
> Confirmed by https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1109
Thanks for the troughfully analysis of the issue! Agreed then we can
close the bugreport. I have updated the security-tracker accordingly
in
https://salsa.debian.org/security-tracker-team/security-tracker/commit/02a96c8eab5fc8f7bb8ddcdfed28fb8cf3d03d4f
.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list