Package: release.debian.org Severity: normal X-Debbugs-Cc: node-brace-expans...@packages.debian.org, y...@debian.org Control: affects -1 + src:node-brace-expansion User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-brace-expansion [ Reason ] node-brace-expansion is vulnerable to a Regex DoS (#1107695, CVE-2025-5889) [ Impact ] Medium security issue [ Tests ] Test added in this patch [ Risks ] Low risk, patch is trivial and test passed [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock node-brace-expansion/2.0.1+~1.1.0-2
diff --git a/debian/changelog b/debian/changelog index 8469a60..48af48f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-brace-expansion (2.0.1+~1.1.0-2) unstable; urgency=medium + + * Declare compliance with policy 4.7.2 + * Fix potential ReDoS vulnerability or inefficient regular expression + (Closes: #1107695, CVE-2025-5889) + + -- Yadd <y...@debian.org> Thu, 12 Jun 2025 11:55:12 +0200 + node-brace-expansion (2.0.1+~1.1.0-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 96d4fc6..da61939 100644 --- a/debian/control +++ b/debian/control @@ -7,7 +7,7 @@ Build-Depends: debhelper-compat (= 13) , dh-sequence-nodejs , node-balanced-match <!nocheck> , node-tape <!nocheck> -Standards-Version: 4.6.2 +Standards-Version: 4.7.2 Vcs-Browser: https://salsa.debian.org/js-team/node-brace-expansion Vcs-Git: https://salsa.debian.org/js-team/node-brace-expansion.git Homepage: https://github.com/juliangruber/brace-expansion diff --git a/debian/patches/CVE-2025-5889.patch b/debian/patches/CVE-2025-5889.patch new file mode 100644 index 0000000..9eaa54c --- /dev/null +++ b/debian/patches/CVE-2025-5889.patch @@ -0,0 +1,36 @@ +Description: fix potential ReDoS vulnerability or inefficient regular expression in project +Author: mmmsssttt404 <931121...@qq.com> +Origin: upstream, https://patch-diff.githubusercontent.com/raw/juliangruber/brace-expansion/pull/65 +Bug: https://github.com/juliangruber/brace-expansion/issues/66 +Bug-Debian: https://bugs.debian.org/1107695 +Forwarded: not-needed +Applied-Upstream: 2.0.2, https://github.com/juliangruber/brace-expansion/commit/36603d5f +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2025-06-12 + +--- a/index.js ++++ b/index.js +@@ -116,7 +116,7 @@ + var isOptions = m.body.indexOf(',') >= 0; + if (!isSequence && !isOptions) { + // {a},b} +- if (m.post.match(/,.*\}/)) { ++ if (m.post.match(/,(?!,).*\}/)) { + str = m.pre + '{' + m.body + escClose + m.post; + return expand(str); + } +--- /dev/null ++++ b/test/redos.js +@@ -0,0 +1,12 @@ ++import test from 'node:test' ++import assert from 'assert' ++import expand from '../index.js' ++ ++test('redos', function () { ++let str = "{a}" + ",".repeat(100000) + "\u0000"; ++ let startTime = performance.now(); ++ expand(str) ++ let endTime = performance.now(); ++ let timeTaken = endTime - startTime; ++ assert.ok(timeTaken < 10000, `Expected time (${timeTaken}ms) to be less than 10000ms`); ++}) diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..d36590c --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2025-5889.patch
