Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
This fixes security bug #862712 - regular expression denial of service. debdiff attached. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Init: systemd (via /run/systemd/system)
diff -Nru node-brace-expansion-1.1.6/debian/changelog node-brace-expansion-1.1.6/debian/changelog --- node-brace-expansion-1.1.6/debian/changelog 2016-10-25 22:29:22.000000000 +0530 +++ node-brace-expansion-1.1.6/debian/changelog 2017-07-26 15:46:15.000000000 +0530 @@ -1,3 +1,9 @@ +node-brace-expansion (1.1.6-1+deb9u1) stretch; urgency=medium + + * Fix regular expression denial of service issue (Closes: 862712) + + -- Sruthi Chandran <s...@disroot.org> Wed, 26 Jul 2017 15:46:15 +0530 + node-brace-expansion (1.1.6-1) unstable; urgency=low [ Bas Couwenberg ] diff -Nru node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch --- node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch 1970-01-01 05:30:00.000000000 +0530 +++ node-brace-expansion-1.1.6/debian/patches/fix-regex-DoS.patch 2017-07-26 15:46:15.000000000 +0530 @@ -0,0 +1,23 @@ +From b13381281cead487cbdbfd6a69fb097ea5e456c3 Mon Sep 17 00:00:00 2001 +From: "mengyuan.ymy" <mengyuan....@alibaba-inc.com> +Date: Fri, 7 Apr 2017 10:32:55 +0800 +Subject: [PATCH] fix bug in + https://github.com/juliangruber/brace-expansion/issues/33 + +--- + index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/index.js b/index.js +index 955f27c..0478be8 100644 +--- a/index.js ++++ b/index.js +@@ -106,7 +106,7 @@ function expand(str, isTop) { + var isNumericSequence = /^-?\d+\.\.-?\d+(?:\.\.-?\d+)?$/.test(m.body); + var isAlphaSequence = /^[a-zA-Z]\.\.[a-zA-Z](?:\.\.-?\d+)?$/.test(m.body); + var isSequence = isNumericSequence || isAlphaSequence; +- var isOptions = /^(.*,)+(.+)?$/.test(m.body); ++ var isOptions = m.body.indexOf(',') >= 0; + if (!isSequence && !isOptions) { + // {a},b} + if (m.post.match(/,.*\}/)) { diff -Nru node-brace-expansion-1.1.6/debian/patches/series node-brace-expansion-1.1.6/debian/patches/series --- node-brace-expansion-1.1.6/debian/patches/series 1970-01-01 05:30:00.000000000 +0530 +++ node-brace-expansion-1.1.6/debian/patches/series 2017-07-26 15:46:15.000000000 +0530 @@ -0,0 +1 @@ +fix-regex-DoS.patch
signature.asc
Description: OpenPGP digital signature
