Bug#1014900: bullseye-pu: package node-moment/2.29.1+ds-2+deb11u2

Wed, 13 Jul 2022 22:48:26 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
node-moment is vulnerable to ReDoS (#1014845, CVE-2022-31129)

[ Impact ]
Medium security issue

[ Tests ]
Sadly there is no test in this package.

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Regexp improvement

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index d0566a3b..829c6ec2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-moment (2.29.1+ds-2+deb11u2) bullseye; urgency=medium
+
+  * Fix ReDoS (Closes: #1014845, CVE-2022-31129)
+
+ -- Yadd <y...@debian.org>  Wed, 13 Jul 2022 21:12:52 +0200
+
 node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium
 
   * Avoid loading path-looking locales from fs (Closes: #1009327,
diff --git a/debian/patches/CVE-2022-31129.patch 
b/debian/patches/CVE-2022-31129.patch
new file mode 100644
index 00000000..e10777fa
--- /dev/null
+++ b/debian/patches/CVE-2022-31129.patch
@@ -0,0 +1,42 @@
+Description: Fix ReDoS
+Author: Khang Vo (doublevkay)
+Origin: upstream, https://github.com/moment/moment/commit/9a3b5894
+Bug: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
+Bug-Debian: https://bugs.debian.org/1014845
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2022-07-13
+
+--- a/dist/moment.js
++++ b/dist/moment.js
+@@ -2434,7 +2434,7 @@
+ function preprocessRFC2822(s) {
+     // Remove comments and folding whitespace and replace multiple-spaces 
with a single space
+     return s
+-        .replace(/\([^)]*\)|[\n\t]/g, ' ')
++        .replace(/\([^()]*\)|[\n\t]/g, ' ')
+         .replace(/(\s\s+)/g, ' ')
+         .replace(/^\s\s*/, '')
+         .replace(/\s\s*$/, '');
+--- a/moment.js
++++ b/moment.js
+@@ -2440,7 +2440,7 @@
+     function preprocessRFC2822(s) {
+         // Remove comments and folding whitespace and replace multiple-spaces 
with a single space
+         return s
+-            .replace(/\([^)]*\)|[\n\t]/g, ' ')
++            .replace(/\([^()]*\)|[\n\t]/g, ' ')
+             .replace(/(\s\s+)/g, ' ')
+             .replace(/^\s\s*/, '')
+             .replace(/\s\s*$/, '');
+--- a/src/lib/create/from-string.js
++++ b/src/lib/create/from-string.js
+@@ -147,7 +147,7 @@
+ function preprocessRFC2822(s) {
+     // Remove comments and folding whitespace and replace multiple-spaces 
with a single space
+     return s
+-        .replace(/\([^)]*\)|[\n\t]/g, ' ')
++        .replace(/\([^()]*\)|[\n\t]/g, ' ')
+         .replace(/(\s\s+)/g, ' ')
+         .replace(/^\s\s*/, '')
+         .replace(/\s\s*$/, '');
diff --git a/debian/patches/series b/debian/patches/series
index b59ca1ed..48b9eff0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2022-24785.patch
+CVE-2022-31129.patch

Reply via email to