[Pkg-javascript-devel] Bug#1107701: unblock: node-brace-expansion/2.0.1+~1.1.0-2

Thu Jun 12 11:03:44 BST 2025

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: node-brace-expansion at packages.debian.org, yadd at debian.org
Control: affects -1 + src:node-brace-expansion
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package node-brace-expansion

[ Reason ]
node-brace-expansion is vulnerable to a Regex DoS (#1107695,
CVE-2025-5889)

[ Impact ]
Medium security issue

[ Tests ]
Test added in this patch

[ Risks ]
Low risk, patch is trivial and test passed

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock node-brace-expansion/2.0.1+~1.1.0-2
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 8469a60..48af48f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-brace-expansion (2.0.1+~1.1.0-2) unstable; urgency=medium
+
+  * Declare compliance with policy 4.7.2
+  * Fix potential ReDoS vulnerability or inefficient regular expression
+    (Closes: #1107695, CVE-2025-5889)
+
+ -- Yadd <yadd at debian.org>  Thu, 12 Jun 2025 11:55:12 +0200
+
 node-brace-expansion (2.0.1+~1.1.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 96d4fc6..da61939 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Build-Depends: debhelper-compat (= 13)
  , dh-sequence-nodejs
  , node-balanced-match <!nocheck>
  , node-tape <!nocheck>
-Standards-Version: 4.6.2
+Standards-Version: 4.7.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-brace-expansion
 Vcs-Git: https://salsa.debian.org/js-team/node-brace-expansion.git
 Homepage: https://github.com/juliangruber/brace-expansion
diff --git a/debian/patches/CVE-2025-5889.patch b/debian/patches/CVE-2025-5889.patch
new file mode 100644
index 0000000..9eaa54c
--- /dev/null
+++ b/debian/patches/CVE-2025-5889.patch
@@ -0,0 +1,36 @@
+Description: fix potential ReDoS vulnerability or inefficient regular expression in project
+Author: mmmsssttt404 <931121963 at qq.com>
+Origin: upstream, https://patch-diff.githubusercontent.com/raw/juliangruber/brace-expansion/pull/65
+Bug: https://github.com/juliangruber/brace-expansion/issues/66
+Bug-Debian: https://bugs.debian.org/1107695
+Forwarded: not-needed
+Applied-Upstream: 2.0.2, https://github.com/juliangruber/brace-expansion/commit/36603d5f
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2025-06-12
+
+--- a/index.js
++++ b/index.js
+@@ -116,7 +116,7 @@
+     var isOptions = m.body.indexOf(',') >= 0;
+     if (!isSequence && !isOptions) {
+       // {a},b}
+-      if (m.post.match(/,.*\}/)) {
++      if (m.post.match(/,(?!,).*\}/)) {
+         str = m.pre + '{' + m.body + escClose + m.post;
+         return expand(str);
+       }
+--- /dev/null
++++ b/test/redos.js
+@@ -0,0 +1,12 @@
++import test from 'node:test'
++import assert from 'assert'
++import expand from '../index.js'
++
++test('redos', function () {
++let str = "{a}" + ",".repeat(100000) + "\u0000";
++    let startTime = performance.now();
++    expand(str)
++    let endTime = performance.now();
++    let timeTaken = endTime - startTime;
++    assert.ok(timeTaken < 10000, `Expected time (${timeTaken}ms) to be less than 10000ms`);
++})
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..d36590c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2025-5889.patch
