Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Regex Denial of Service (CVE-2021-33623) [ Impact ] Medium vulnerability [ Tests ] Test passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace regex by string parse Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index bfe52ab..84d1115 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-trim-newlines (3.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix Regex Denial of Service (Closes: CVE-2021-33623) + + -- Yadd <y...@debian.org> Sat, 05 Feb 2022 12:23:20 +0100 + node-trim-newlines (3.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-33623.patch b/debian/patches/CVE-2021-33623.patch new file mode 100644 index 0000000..8ce1174 --- /dev/null +++ b/debian/patches/CVE-2021-33623.patch @@ -0,0 +1,34 @@ +Description: fix ReDoS +Author: upstream +Bug: https://github.com/advisories/GHSA-7p7h-4mm5-852v +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-02-05 + +--- a/index.js ++++ b/index.js +@@ -1,4 +1,13 @@ + 'use strict'; + module.exports = string => string.replace(/^[\r\n]+/, '').replace(/[\r\n]+$/, ''); + module.exports.start = string => string.replace(/^[\r\n]+/, ''); +-module.exports.end = string => string.replace(/[\r\n]+$/, ''); ++ ++module.exports.end = string => { ++ let end = string.length; ++ ++ while (end > 0 && (string[end - 1] === '\r' || string[end - 1] === '\n')) { ++ end--; ++ } ++ ++ return end < string.length ? string.slice(0, end) : string; ++}; +--- a/package.json ++++ b/package.json +@@ -1,6 +1,6 @@ + { + "name": "trim-newlines", +- "version": "3.0.0", ++ "version": "3.0.1", + "description": "Trim newlines from the start and/or end of a string", + "license": "MIT", + "repository": "sindresorhus/trim-newlines", diff --git a/debian/patches/series b/debian/patches/series index 2cdbeba..2063155 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ replace-ava-by-tape.patch +CVE-2021-33623.patch
