[Pkg-javascript-devel] Bug#927716: Bug#927716: CVE-2018-1109
Xavier
yadd at debian.org
Mon Apr 22 07:19:54 BST 2019
Le 21/04/2019 à 22:33, Moritz Muehlenhoff a écrit :
> Package: node-braces
> Severity: important
> Tags: security
>
> Please see https://snyk.io/vuln/npm:braces:20180219
>
> Patch:
> https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
>
> Cheers,
> Moritz
Reproducing the vulnerability is easy:
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
is bigger than
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
and the difference increases with the number of 'C'.
My problem is that I don't understand how this bug is related to
node-braces. I tried also with an updated version of node-braces without
any improvement.
Could someone take a look ?
More information about the Pkg-javascript-devel
mailing list