On 04/12/2022 19:03, Adam D. Barratt wrote:
On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote:
On 29/11/2022 10:56, Yadd wrote:
On 28/11/2022 22:11, Paul Gevers wrote:
Hi Yadd,
On Sat, 26 Nov 2022 13:01:22 +0000 Adam D Barratt
<a...@adam-barratt.org.uk> wrote:
The upload referenced by this bug report has been flagged for
acceptance into the proposed-updates queue for Debian bullseye.
Thanks for your contribution!
Upload details
==============
Package: node-minimatch
Version: 3.0.4+~3.0.3-1+deb11u1
Explanation: improve protection against regular expression-
based
denial of service [CVE-2022-3517]
The upload breaks [1] the autopkgtest of node-glob. Can you have
a look?
[...]
the problem is in this part of minimatch.js patch:
@@ -280,7 +306,7 @@
if (pattern === '') return ''
var re = ''
- var hasMagic = !!options.nocase
+ var hasMagic = false
var escaping = false
// ? => one single character
var patternListStack = []
We should apply this patch:
https://github.com/isaacs/minimatch/commit/e4cd4346
I'm going to prepare a new upload
Here is a new debdiff:
* this cleans CVE-2022-3517 patch (package*.json changes not
needed)
* this includes regressions fixes from 3.0.6 and 3.0.7
If the huge package*.json changes aren't needed, then why are they
included? Your stable -> deb11u2 diff contains a *lot* of noise with
the changes to package-lock.json.
Other than that, the patch does look like it's just the (still quite
large) changes from upstream relating to the CVE, so please go ahead.
Regards,
Hi,
no that's the reverse, I cleaned deb11u1 patch in deb11u2, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42
(cumulative debdiff)
Cheers,
Yadd
