[Pkg-javascript-devel] Bug#927716: Bug#927716: CVE-2018-1109
Xavier
yadd at debian.org
Fri Apr 26 18:52:55 BST 2019
Le 26/04/2019 à 19:40, Xavier a écrit :
> [...]
> Hello,
>
> The regex that causes CVE-2018-1109 was introduced in upstream version
> 2.2.0, commit dcc1acab [1]. So Buster node-braces seems not concerned by
> this CVE.
>
> https://snyk.io/vuln/npm:braces:20180219 extract :
>
>> braces is a Bash-like brace expansion, implemented in JavaScript.
>>
>> Affected versions of this package are vulnerable to Regular Expression
>> Denial of Service (ReDoS) attacks. It used a regular expression
>> (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty
>> braces. This can cause an impact of about 10 seconds matching time for
>> data 50K characters long.
>
> [...]
>
> No regexp in 2.0.2 contains such expression.
>
> Time to close this issue ?
>
> Cheers,
> Xavier
>
> [1]:
> https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113
> [2]:
> https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
Confirmed by https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1109
More information about the Pkg-javascript-devel
mailing list