[Pkg-javascript-devel] Bug#1014845: Bug#1014845: node-moment: CVE-2022-31129
Yadd
yadd at debian.org
Wed Jul 13 20:14:56 BST 2022
On 13/07/2022 08:38, Salvatore Bonaccorso wrote:
> Source: node-moment
> Version: 2.29.3+ds-1
> Severity: grave
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for node-moment.
>
> CVE-2022-31129[0]:
> | moment is a JavaScript date library for parsing, validating,
> | manipulating, and formatting dates. Affected versions of moment were
> | found to use an inefficient parsing algorithm. Specifically using
> | string-to-date parsing in moment (more specifically rfc2822 parsing,
> | which is tried by default) has quadratic (N^2) complexity on specific
> | inputs. Users may notice a noticeable slowdown is observed with inputs
> | above 10k characters. Users who pass user-provided strings without
> | sanity length checks to moment constructor are vulnerable to (Re)DoS
> | attacks. The problem is patched in 2.29.4, the patch can be applied to
> | all affected versions with minimal tweaking. Users are advised to
> | upgrade. Users unable to upgrade should consider limiting date lengths
> | accepted from user input.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Hi,
here is the debdiff
Best regards,
Yadd
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index d0566a3b..3bf1ca51 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-moment (2.29.1+ds-2+deb11u2) bullseye-security; urgency=medium
+
+ * Fix ReDoS (Closes: #1014845, CVE-2022-31129)
+
+ -- Yadd <yadd at debian.org> Wed, 13 Jul 2022 21:12:52 +0200
+
node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium
* Avoid loading path-looking locales from fs (Closes: #1009327,
diff --git a/debian/patches/CVE-2022-31129.patch b/debian/patches/CVE-2022-31129.patch
new file mode 100644
index 00000000..e10777fa
--- /dev/null
+++ b/debian/patches/CVE-2022-31129.patch
@@ -0,0 +1,42 @@
+Description: Fix ReDoS
+Author: Khang Vo (doublevkay)
+Origin: upstream, https://github.com/moment/moment/commit/9a3b5894
+Bug: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
+Bug-Debian: https://bugs.debian.org/1014845
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2022-07-13
+
+--- a/dist/moment.js
++++ b/dist/moment.js
+@@ -2434,7 +2434,7 @@
+ function preprocessRFC2822(s) {
+ // Remove comments and folding whitespace and replace multiple-spaces with a single space
+ return s
+- .replace(/\([^)]*\)|[\n\t]/g, ' ')
++ .replace(/\([^()]*\)|[\n\t]/g, ' ')
+ .replace(/(\s\s+)/g, ' ')
+ .replace(/^\s\s*/, '')
+ .replace(/\s\s*$/, '');
+--- a/moment.js
++++ b/moment.js
+@@ -2440,7 +2440,7 @@
+ function preprocessRFC2822(s) {
+ // Remove comments and folding whitespace and replace multiple-spaces with a single space
+ return s
+- .replace(/\([^)]*\)|[\n\t]/g, ' ')
++ .replace(/\([^()]*\)|[\n\t]/g, ' ')
+ .replace(/(\s\s+)/g, ' ')
+ .replace(/^\s\s*/, '')
+ .replace(/\s\s*$/, '');
+--- a/src/lib/create/from-string.js
++++ b/src/lib/create/from-string.js
+@@ -147,7 +147,7 @@
+ function preprocessRFC2822(s) {
+ // Remove comments and folding whitespace and replace multiple-spaces with a single space
+ return s
+- .replace(/\([^)]*\)|[\n\t]/g, ' ')
++ .replace(/\([^()]*\)|[\n\t]/g, ' ')
+ .replace(/(\s\s+)/g, ' ')
+ .replace(/^\s\s*/, '')
+ .replace(/\s\s*$/, '');
diff --git a/debian/patches/series b/debian/patches/series
index b59ca1ed..48b9eff0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2022-24785.patch
+CVE-2022-31129.patch
More information about the Pkg-javascript-devel
mailing list