Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Regex Denial of Service (CVE-2021-33623)
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace regex by string parse
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index bfe52ab..84d1115 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-trim-newlines (3.0.0-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix Regex Denial of Service (Closes: CVE-2021-33623)
+
+ -- Yadd <yadd@debian.org> Sat, 05 Feb 2022 12:23:20 +0100
+
node-trim-newlines (3.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-33623.patch b/debian/patches/CVE-2021-33623.patch
new file mode 100644
index 0000000..8ce1174
--- /dev/null
+++ b/debian/patches/CVE-2021-33623.patch
@@ -0,0 +1,34 @@
+Description: fix ReDoS
+Author: upstream
+Bug: https://github.com/advisories/GHSA-7p7h-4mm5-852v
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-05
+
+--- a/index.js
++++ b/index.js
+@@ -1,4 +1,13 @@
+ 'use strict';
+ module.exports = string => string.replace(/^[\r\n]+/, '').replace(/[\r\n]+$/, '');
+ module.exports.start = string => string.replace(/^[\r\n]+/, '');
+-module.exports.end = string => string.replace(/[\r\n]+$/, '');
++
++module.exports.end = string => {
++ let end = string.length;
++
++ while (end > 0 && (string[end - 1] === '\r' || string[end - 1] === '\n')) {
++ end--;
++ }
++
++ return end < string.length ? string.slice(0, end) : string;
++};
+--- a/package.json
++++ b/package.json
+@@ -1,6 +1,6 @@
+ {
+ "name": "trim-newlines",
+- "version": "3.0.0",
++ "version": "3.0.1",
+ "description": "Trim newlines from the start and/or end of a string",
+ "license": "MIT",
+ "repository": "sindresorhus/trim-newlines",
diff --git a/debian/patches/series b/debian/patches/series
index 2cdbeba..2063155 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
replace-ava-by-tape.patch
+CVE-2021-33623.patch
Reply to: