Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack (CVE-2022-29167). [ Impact ] Medium security issue [ Tests ] Sadly test were not launched in Bullseye [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Replace custom url parsing by `url` functions. Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 7a55fa8..a913487 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-hawk (8.0.1+dfsg-2+deb11u1) bullseye; urgency=medium + + * Team upload + * Parse URLs using stdlib (Closes: CVE-2022-29167) + + -- Yadd <y...@debian.org> Sun, 04 Dec 2022 11:39:16 +0100 + node-hawk (8.0.1+dfsg-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-29167.patch b/debian/patches/CVE-2022-29167.patch new file mode 100644 index 0000000..2c41b08 --- /dev/null +++ b/debian/patches/CVE-2022-29167.patch @@ -0,0 +1,57 @@ +Description: Parse URLs using stdlib +Author: Yaraslau Kurmyza <ya...@mozilla.com> +Origin: upstream, https://github.com/mozilla/hawk/commit/ade13411 +Bug: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq +Forwarded: not-needed +Applied-Upstream: 9.0.1, ade13411 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-12-04 + +--- a/lib/utils.js ++++ b/lib/utils.js +@@ -2,6 +2,7 @@ + + const Boom = require('@hapi/boom'); + const Sntp = require('@hapi/sntp'); ++const Url = require('url'); + + + const internals = {}; +@@ -18,17 +19,19 @@ + }; + + +-// Extract host and port from request +- +-// $1 $2 +-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/; // (IPv4, hostname)|(IPv6) +- +- + exports.parseHost = function (req, hostHeaderName) { + + hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host'); + const hostHeader = req.headers[hostHeaderName]; +- if (!hostHeader) { ++ if (hostHeader.indexOf('/') !== -1) { ++ return null; ++ } ++ ++ let uri; ++ try { ++ uri = new Url.URL('http://' + hostHeader); ++ } ++ catch (err) { + return null; + } + +@@ -42,8 +45,8 @@ + } + + return { +- name: hostParts[1], +- port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80)) ++ name: uri.hostname, ++ port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80)) + }; + }; + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..43fa212 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-29167.patch
