Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Please unblock package node-got [ Reason ] node-normalize-url (embedded in node-got) is vulnerable to a Regex Denial of Service (ReDoS) (#989258, CVE-2021-33502). This little patch fixes it. [ Impact ] Medium security issue [ Tests ] Sadly test are not enabled for this package due to missing test dependencies [ Risks ] No risk here, patch is trivial (just a regex improvement) [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-got/11.8.1+~cs53.13.17-3 -----BEGIN PGP SIGNATURE----- iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmC0tMwQHHlhZGRAZGVi aWFuLm9yZwAKCRD210ynyZnu6TKiD/4jlh7TN9AxaWxx2MJLho3t/w3eBaHL9zzP 091IzeAZndqYDzAsC0migMIeMpwS0laDg9WTafesq0kPWGPCPbFOtuiQo8CNAoP5 eakDTq0LZRjSDbziUe3QjT9YdSOeOBbopRkDx8fcpBu8Wutp6trsIgAUQ0xaGMYL KJRzn/e90Ceqg+VUd9Pimp4EFnB+MfX5PPVUcJSJCFFgmHSQuvBPl9BV7qaIF05Y n4H64Pa4bLh4+iSvvfbhvotnt7W091b86lTEuWzAv9XOijjeIRpkRPBUHRSXTSoc BDhQ9kgE6y4PUip7iBpNTPRpZpSj0ow8kRcekoBYp9U9EO34dffk/czBj203FVWv me61VJITKhLKuBhQ4GCHbXrmnMYcax+hZXiev9vvsF+v1W3pJgj0KFc51/cBkoCc n+YuNq8+0ski1byjA3edk+VWsQz/q7ElNs3Y0ZvHH4nfA0UUXzastPlSw5qnoOyK kkUFUdCF2w5i4HrJZ0bgKjA+c4eouAUkF8+z5ENQ2K6XJ1Iwqv8lwo162MfTPq1W zNj6CWWBEgB+GLkEO7VBcpwrPMoJHkRejjZTRhUWBP47CnnzX6a+JOfLGYG/PytO R6yLy/oWQtoPTsDDuqP0LH+korjw2DmFsH8DWxWbCdtmQzB1dEn7+htluK2h+Mbt W5J0x1auFw== =dUjO -----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog index c1ca5b3..9cda1ef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium + + * Team upload + * Fix ReDoS (Closes: #989258, CVE-2021-33502) + + -- Yadd <y...@debian.org> Mon, 31 May 2021 11:57:23 +0200 + node-got (11.8.1+~cs53.13.17-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-33502.patch b/debian/patches/CVE-2021-33502.patch new file mode 100644 index 0000000..1572953 --- /dev/null +++ b/debian/patches/CVE-2021-33502.patch @@ -0,0 +1,40 @@ +Description: Fix ReDoS for data URLs +Author: Sindre Sorhus <sindresor...@gmail.com> +Origin: upstream, https://github.com/sindresorhus/normalize-url/commit/b1fdb51 +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502 +Bug-Debian: https://bugs.debian.org/989258 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-05-31 + +--- a/normalize-url/index.js ++++ b/normalize-url/index.js +@@ -9,7 +9,7 @@ + }; + + const normalizeDataURL = (urlString, {stripHash}) => { +- const match = /^data:(?<type>.*?),(?<data>.*?)(?:#(?<hash>.*))?$/.exec(urlString); ++ const match = /^data:(?<type>[^,]*?),(?<data>[^#]*?)(?:#(?<hash>.*))?$/.exec(urlString); + + if (!match) { + throw new Error(`Invalid URL: ${urlString}`); +--- a/normalize-url/test.js ++++ b/normalize-url/test.js +@@ -320,3 +320,17 @@ + normalizeUrl('view-source:https://www.sindresorhus.com'); + }, '`view-source:` is not supported as it is a non-standard protocol'); + }); ++ ++test('does not have exponential performance for data URLs', t => { ++ for (let index = 0; index < 1000; index += 50) { ++ const url = 'data:' + Array.from({length: index}).fill(',#').join('') + '\ra'; ++ const start = Date.now(); ++ ++ try { ++ normalizeUrl(url); ++ } catch {} ++ ++ const difference = Date.now() - start; ++ t.true(difference < 100, `Execution time: ${difference}`); ++ } ++}); diff --git a/debian/patches/series b/debian/patches/series index 225f561..2299ad7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ build-source-only.diff fix-package-json-paths.diff +CVE-2021-33502.patch
