On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote: > On 29/11/2022 10:56, Yadd wrote: > > On 28/11/2022 22:11, Paul Gevers wrote: > > > Hi Yadd, > > > > > > On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt > > > <a...@adam-barratt.org.uk> wrote: > > > > The upload referenced by this bug report has been flagged for > > > > acceptance into the proposed-updates queue for Debian bullseye. > > > > > > > > Thanks for your contribution! > > > > > > > > Upload details > > > > ============== > > > > > > > > Package: node-minimatch > > > > Version: 3.0.4+~3.0.3-1+deb11u1 > > > > > > > > Explanation: improve protection against regular expression- > > > > based > > > > denial of service [CVE-2022-3517] > > > > > > The upload breaks [1] the autopkgtest of node-glob. Can you have > > > a look? > > > [...] > > the problem is in this part of minimatch.js patch: > > > > @@ -280,7 +306,7 @@ > > if (pattern === '') return '' > > > > var re = '' > > - var hasMagic = !!options.nocase > > + var hasMagic = false > > var escaping = false > > // ? => one single character > > var patternListStack = [] > > > > We should apply this patch: > > https://github.com/isaacs/minimatch/commit/e4cd4346 > > > > I'm going to prepare a new upload > > Here is a new debdiff: > * this cleans CVE-2022-3517 patch (package*.json changes not > needed) > * this includes regressions fixes from 3.0.6 and 3.0.7 >
If the huge package*.json changes aren't needed, then why are they included? Your stable -> deb11u2 diff contains a *lot* of noise with the changes to package-lock.json. Other than that, the patch does look like it's just the (still quite large) changes from upstream relating to the CVE, so please go ahead. Regards, Adam
