Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Sat, 05 Feb 2022 12:26:10 +0100
Message-id: <[🔎] 164406037003.1330485.16430991624397501093.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1005007@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Regex Denial of Service (CVE-2021-33623)

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace regex by string parse

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index bfe52ab..84d1115 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-trim-newlines (3.0.0-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix Regex Denial of Service (Closes: CVE-2021-33623)
+
+ -- Yadd <yadd@debian.org>  Sat, 05 Feb 2022 12:23:20 +0100
+
 node-trim-newlines (3.0.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-33623.patch b/debian/patches/CVE-2021-33623.patch
new file mode 100644
index 0000000..8ce1174
--- /dev/null
+++ b/debian/patches/CVE-2021-33623.patch
@@ -0,0 +1,34 @@
+Description: fix ReDoS
+Author: upstream
+Bug: https://github.com/advisories/GHSA-7p7h-4mm5-852v
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-05
+
+--- a/index.js
++++ b/index.js
+@@ -1,4 +1,13 @@
+ 'use strict';
+ module.exports = string => string.replace(/^[\r\n]+/, '').replace(/[\r\n]+$/, '');
+ module.exports.start = string => string.replace(/^[\r\n]+/, '');
+-module.exports.end = string => string.replace(/[\r\n]+$/, '');
++
++module.exports.end = string => {
++       let end = string.length;
++
++       while (end > 0 && (string[end - 1] === '\r' || string[end - 1] === '\n')) {
++               end--;
++       }
++
++       return end < string.length ? string.slice(0, end) : string;
++};
+--- a/package.json
++++ b/package.json
+@@ -1,6 +1,6 @@
+ {
+ 	"name": "trim-newlines",
+-	"version": "3.0.0",
++	"version": "3.0.1",
+ 	"description": "Trim newlines from the start and/or end of a string",
+ 	"license": "MIT",
+ 	"repository": "sindresorhus/trim-newlines",
diff --git a/debian/patches/series b/debian/patches/series
index 2cdbeba..2063155 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 replace-ava-by-tape.patch
+CVE-2021-33623.patch

Reply to:

Follow-Ups:
- Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: rakudo permanent tracker and transition
Next by Date: Bug#1005010: bullseye-pu: package node-nth-check/2.0.0-1+deb11u1
Previous by thread: Processed: atftp 0.7.git20120829-3.2~deb10u3 flagged for acceptance
Next by thread: Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1
Index(es):
- Date
- Thread