On 13/07/2022 08:38, Salvatore Bonaccorso wrote:
Source: node-moment Version: 2.29.3+ds-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>Hi, The following vulnerability was published for node-moment. CVE-2022-31129[0]: | moment is a JavaScript date library for parsing, validating, | manipulating, and formatting dates. Affected versions of moment were | found to use an inefficient parsing algorithm. Specifically using | string-to-date parsing in moment (more specifically rfc2822 parsing, | which is tried by default) has quadratic (N^2) complexity on specific | inputs. Users may notice a noticeable slowdown is observed with inputs | above 10k characters. Users who pass user-provided strings without | sanity length checks to moment constructor are vulnerable to (Re)DoS | attacks. The problem is patched in 2.29.4, the patch can be applied to | all affected versions with minimal tweaking. Users are advised to | upgrade. Users unable to upgrade should consider limiting date lengths | accepted from user input. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Hi, here is the debdiff Best regards, Yadd
diff --git a/debian/changelog b/debian/changelog index d0566a3b..3bf1ca51 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-moment (2.29.1+ds-2+deb11u2) bullseye-security; urgency=medium + + * Fix ReDoS (Closes: #1014845, CVE-2022-31129) + + -- Yadd <y...@debian.org> Wed, 13 Jul 2022 21:12:52 +0200 + node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium * Avoid loading path-looking locales from fs (Closes: #1009327, diff --git a/debian/patches/CVE-2022-31129.patch b/debian/patches/CVE-2022-31129.patch new file mode 100644 index 00000000..e10777fa --- /dev/null +++ b/debian/patches/CVE-2022-31129.patch @@ -0,0 +1,42 @@ +Description: Fix ReDoS +Author: Khang Vo (doublevkay) +Origin: upstream, https://github.com/moment/moment/commit/9a3b5894 +Bug: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g +Bug-Debian: https://bugs.debian.org/1014845 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-07-13 + +--- a/dist/moment.js ++++ b/dist/moment.js +@@ -2434,7 +2434,7 @@ + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space + return s +- .replace(/\([^)]*\)|[\n\t]/g, ' ') ++ .replace(/\([^()]*\)|[\n\t]/g, ' ') + .replace(/(\s\s+)/g, ' ') + .replace(/^\s\s*/, '') + .replace(/\s\s*$/, ''); +--- a/moment.js ++++ b/moment.js +@@ -2440,7 +2440,7 @@ + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space + return s +- .replace(/\([^)]*\)|[\n\t]/g, ' ') ++ .replace(/\([^()]*\)|[\n\t]/g, ' ') + .replace(/(\s\s+)/g, ' ') + .replace(/^\s\s*/, '') + .replace(/\s\s*$/, ''); +--- a/src/lib/create/from-string.js ++++ b/src/lib/create/from-string.js +@@ -147,7 +147,7 @@ + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space + return s +- .replace(/\([^)]*\)|[\n\t]/g, ' ') ++ .replace(/\([^()]*\)|[\n\t]/g, ' ') + .replace(/(\s\s+)/g, ' ') + .replace(/^\s\s*/, '') + .replace(/\s\s*$/, ''); diff --git a/debian/patches/series b/debian/patches/series index b59ca1ed..48b9eff0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2022-24785.patch +CVE-2022-31129.patch
