[Pkg-javascript-devel] Bug#1034105: unblock: node-ua-parser-js/0.8.1+ds+~0.7.36-3

Sun Apr 9 05:03:52 BST 2023

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-ua-parser-js at packages.debian.org
Control: affects -1 + src:node-ua-parser-js

Please unblock package node-ua-parser-js

[ Reason ]
node-ua-parser-js is vulnerable to a Regex DoS (CVE-2022-25927)

[ Impact ]
Low security issue

[ Tests ]
No new test, current still pass

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-ua-parser-js/0.8.1+ds+~0.7.36-3
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 97dc70f..fe75bc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-ua-parser-js (0.8.1+ds+~0.7.36-3) unstable; urgency=medium
+
+  * Team upload
+  * Update standards version to 4.6.2, no changes needed.
+  * Remove unsafe and ueless regex (Closes: CVE-2022-25927)
+
+ -- Yadd <yadd at debian.org>  Sun, 09 Apr 2023 07:47:39 +0400
+
 node-ua-parser-js (0.8.1+ds+~0.7.36-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/control b/debian/control
index a65ee3c..5156727 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper-compat (= 13)
  , node-requirejs <!nocheck>
  , node-safe-regex <!nocheck>
  , terser
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-ua-parser-js
 Vcs-Git: https://salsa.debian.org/js-team/node-ua-parser-js.git
 Homepage: https://github.com/faisalman/ua-parser-js
diff --git a/debian/patches/CVE-2022-25927.patch b/debian/patches/CVE-2022-25927.patch
new file mode 100644
index 0000000..23e19bd
--- /dev/null
+++ b/debian/patches/CVE-2022-25927.patch
@@ -0,0 +1,22 @@
+Description: Remove unsafe regex in trim() function
+ `trim()` function contains a regular expression that is vulnerable to
+ ReDoS but was uncaught by `safe-regex` module
+Author: Faisal Salman <f at faisalman.com>
+Origin: upstream, https://github.com/faisalman/ua-parser-js/commit/a6140a17
+Bug: https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450
+Forwarded: not-needed
+Applied-Upstream: 1.0.33, commit:a6140a17
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2023-04-09
+
+--- a/src/ua-parser.js
++++ b/src/ua-parser.js
+@@ -92,7 +92,7 @@
+         },
+         trim = function (str, len) {
+             if (typeof(str) === STR_TYPE) {
+-                str = str.replace(/^\s\s*/, EMPTY).replace(/\s\s*$/, EMPTY);
++                str = str.replace(/^\s\s*/, EMPTY);
+                 return typeof(len) === UNDEF_TYPE ? str : str.substring(0, UA_MAX_LENGTH);
+             }
+     };
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..8115996
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-25927.patch
