[Pkg-javascript-devel] Bug#985943: buster-pu: package node-hosted-git-info/2.7.1-1+deb10u1

Fri Mar 26 14:24:15 GMT 2021

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-devel at lists.alioth.debian.org

[ Reason ]
node-hosted-git-info is vulnerable to RegExp Denial of Service

[ Impact ]
Medium security risk

[ Tests ]
Upstream test still pass with this patch

[ Risks ]
Trivial change

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
shortcutMatch regex is cut in two piece:
 - a more simple regexp
 - a distinc change to remove .git suffix

Cheers,
Yadd
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index b4038a0..f8baeef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-hosted-git-info (2.7.1-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix ReDoS risk (Closes: CVE-2021-23362)
+
+ -- Yadd <yadd at debian.org>  Fri, 26 Mar 2021 15:17:21 +0100
+
 node-hosted-git-info (2.7.1-1) unstable; urgency=medium
 
   * New upstream version 2.7.1
diff --git a/debian/patches/CVE-2021-23362.patch b/debian/patches/CVE-2021-23362.patch
new file mode 100644
index 0000000..cadac62
--- /dev/null
+++ b/debian/patches/CVE-2021-23362.patch
@@ -0,0 +1,28 @@
+Description: avoid ReDoS
+Author: nlf <quitlahok at gmail.com>
+Origin: upstream, https://github.com/npm/hosted-git-info/commit/bede0dc3
+Bug: https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <yadd at debian.org>
+Last-Update: 2021-03-26
+
+--- a/index.js
++++ b/index.js
+@@ -42,7 +42,7 @@
+     isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
+   )
+   var parsed = parseGitUrl(url)
+-  var shortcutMatch = url.match(new RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)'))
++  var shortcutMatch = url.match(/^([^:]+):(?:[^@]+@)?(?:([^/]*)\/)?([^#]+)/)
+   var matches = Object.keys(gitHosts).map(function (gitHostName) {
+     try {
+       var gitHostInfo = gitHosts[gitHostName]
+@@ -56,7 +56,7 @@
+       var defaultRepresentation = null
+       if (shortcutMatch && shortcutMatch[1] === gitHostName) {
+         user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2])
+-        project = decodeURIComponent(shortcutMatch[3])
++        project = decodeURIComponent(shortcutMatch[3].replace(/\.git$/, ''))
+         defaultRepresentation = 'shortcut'
+       } else {
+         if (parsed.host && parsed.host !== gitHostInfo.domain && parsed.host.replace(/^www[.]/, '') !== gitHostInfo.domain) return
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..cc0f664
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23362.patch
