On Sun, 2022-12-04 at 19:07 +0100, Yadd wrote: > On 04/12/2022 19:03, Adam D. Barratt wrote: > > On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote: > > > On 29/11/2022 10:56, Yadd wrote: > > > > On 28/11/2022 22:11, Paul Gevers wrote: > > > > > Hi Yadd, > > > > > > > > > > On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt > > > > > <a...@adam-barratt.org.uk> wrote: > > > > > > The upload referenced by this bug report has been flagged > > > > > > for > > > > > > acceptance into the proposed-updates queue for Debian > > > > > > bullseye. > > > > > > > > > > > > Thanks for your contribution! > > > > > > > > > > > > Upload details > > > > > > ============== > > > > > > > > > > > > Package: node-minimatch > > > > > > Version: 3.0.4+~3.0.3-1+deb11u1 > > > > > > > > > > > > Explanation: improve protection against regular expression- > > > > > > based > > > > > > denial of service [CVE-2022-3517] > > > > > > > > > > The upload breaks [1] the autopkgtest of node-glob. Can you > > > > > have > > > > > a look? > > > > > > > [...] > > > > the problem is in this part of minimatch.js patch: > > > > > > > > @@ -280,7 +306,7 @@ > > > > if (pattern === '') return '' > > > > > > > > var re = '' > > > > - var hasMagic = !!options.nocase > > > > + var hasMagic = false > > > > var escaping = false > > > > // ? => one single character > > > > var patternListStack = [] > > > > > > > > We should apply this patch: > > > > https://github.com/isaacs/minimatch/commit/e4cd4346 > > > > > > > > I'm going to prepare a new upload > > > > > > Here is a new debdiff: > > > * this cleans CVE-2022-3517 patch (package*.json changes not > > > needed) > > > * this includes regressions fixes from 3.0.6 and 3.0.7 > > > > > > > If the huge package*.json changes aren't needed, then why are they > > included? Your stable -> deb11u2 diff contains a *lot* of noise > > with > > the changes to package-lock.json. > > > > Other than that, the patch does look like it's just the (still > > quite > > large) changes from upstream relating to the CVE, so please go > > ahead. > > > > Regards, > > Hi, > > no that's the reverse, I cleaned deb11u1 patch in deb11u2, see > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42 > > (cumulative debdiff) >
Right, apparently I was confused by the (not entirely clear, at least to me) filenames. Regards, Adam
