diff -Nru node-moment-2.20.1+ds/debian/changelog node-moment-2.20.1+ds/debian/changelog --- node-moment-2.20.1+ds/debian/changelog 2017-12-20 08:53:34.000000000 +0000 +++ node-moment-2.20.1+ds/debian/changelog 2022-07-22 22:08:31.000000000 +0100 @@ -1,3 +1,20 @@ +node-moment (2.20.1+ds-1ubuntu0.1~ppa1) bionic-security; urgency=medium + + * SECURITY UPDATE: Path traversal (LP: #1982617) + - debian/patches/CVE-2022-24785.patch: Avoid loading path-looking locales + from filesystem. + - CVE-2022-24785 + * SECURITY UPDATE: Denial of service via very long date string (LP: #1982617) + - debian/patches/CVE-2022-31129.patch: Make a regular expression more + efficient. + - CVE-2022-31129 + * debian/control: Add a build dependency on libjs-qunit. + * debian/rules: Add an override_dh_auto_test target that invokes + debian/run_test_suite. + * debian/run_test_suite: New file that invokes the upstream test suite. + + -- Luís Infante da Câmara Fri, 22 Jul 2022 22:08:31 +0100 + node-moment (2.20.1+ds-1) unstable; urgency=medium * New upstream release. diff -Nru node-moment-2.20.1+ds/debian/control node-moment-2.20.1+ds/debian/control --- node-moment-2.20.1+ds/debian/control 2017-12-20 08:53:34.000000000 +0000 +++ node-moment-2.20.1+ds/debian/control 2022-07-22 22:08:31.000000000 +0100 @@ -1,9 +1,10 @@ Source: node-moment Section: javascript Priority: optional -Maintainer: Debian Javascript Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Javascript Maintainers Uploaders: Julien Puydt -Build-Depends: debhelper (>= 10), nodejs, uglifyjs +Build-Depends: debhelper (>= 10), nodejs, uglifyjs, libjs-qunit Standards-Version: 4.1.2.0 Homepage: https://github.com/moment/moment Vcs-Git: https://anonscm.debian.org/git/pkg-javascript/node-moment.git diff -Nru node-moment-2.20.1+ds/debian/patches/CVE-2022-24785.patch node-moment-2.20.1+ds/debian/patches/CVE-2022-24785.patch --- node-moment-2.20.1+ds/debian/patches/CVE-2022-24785.patch 1970-01-01 01:00:00.000000000 +0100 +++ node-moment-2.20.1+ds/debian/patches/CVE-2022-24785.patch 2022-07-22 22:08:31.000000000 +0100 @@ -0,0 +1,36 @@ +This patch was backported to the version in Ubuntu 18.04. + +From 4211bfc8f15746be4019bba557e29a7ba83d54c5 Mon Sep 17 00:00:00 2001 +From: Iskren Chernev +Date: Sun, 27 Mar 2022 14:46:47 +0300 +Subject: [PATCH] [bugfix] Avoid loading path-looking locales from fs + +--- + src/lib/locale/locales.js | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/lib/locale/locales.js b/src/lib/locale/locales.js +index 0d082327..b329b83b 100644 +--- a/src/lib/locale/locales.js ++++ b/src/lib/locale/locales.js +@@ -45,11 +45,16 @@ function chooseLocale(names) { + return null; + } + ++function isLocaleNameSane(name) { ++ // Prevent names that look like filesystem paths, i.e contain '/' or '\' ++ return name.match('^[^/\\\\]*$') != null; ++} ++ + function loadLocale(name) { + var oldLocale = null; + // TODO: Find a better way to register and load all the locales in Node + if (!locales[name] && (typeof module !== 'undefined') && +- module && module.exports) { ++ module && module.exports && isLocaleNameSane(name)) { + try { + oldLocale = globalLocale._abbr; + var aliasedRequire = require; +-- +2.17.1 + diff -Nru node-moment-2.20.1+ds/debian/patches/CVE-2022-31129.patch node-moment-2.20.1+ds/debian/patches/CVE-2022-31129.patch --- node-moment-2.20.1+ds/debian/patches/CVE-2022-31129.patch 1970-01-01 01:00:00.000000000 +0100 +++ node-moment-2.20.1+ds/debian/patches/CVE-2022-31129.patch 2022-07-22 22:08:31.000000000 +0100 @@ -0,0 +1,30 @@ +From 9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 Mon Sep 17 00:00:00 2001 +From: "Khang Vo (doublevkay)" <45411113+vovikhangcdv@users.noreply.github.com> +Date: Wed, 6 Jul 2022 22:28:25 +0700 +Subject: [PATCH] [bugfix] Fix redos in preprocessRFC2822 regex (#6015) + +* fix ReDoS in preprocessRFC2822 regex + +Fixes: [#2936](https://github.com/moment/moment/issues/6012) + +Disallow nested rfc2822 comments to prevent quadratic regex execution time (i.e each open bracket is considered at most twice). +--- + src/lib/create/from-string.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/create/from-string.js b/src/lib/create/from-string.js +index 5c4d11f7..58739b9d 100644 +--- a/src/lib/create/from-string.js ++++ b/src/lib/create/from-string.js +@@ -128,7 +128,7 @@ function untruncateYear(yearStr) { + + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space +- return s.replace(/\([^)]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); ++ return s.replace(/\([^()]*\)|[\n\t]/g, ' ').replace(/(\s\s+)/g, ' ').trim(); + } + + function checkWeekday(weekdayStr, parsedInput, config) { +-- +2.17.1 + diff -Nru node-moment-2.20.1+ds/debian/patches/series node-moment-2.20.1+ds/debian/patches/series --- node-moment-2.20.1+ds/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ node-moment-2.20.1+ds/debian/patches/series 2022-07-22 22:08:31.000000000 +0100 @@ -0,0 +1,2 @@ +CVE-2022-24785.patch +CVE-2022-31129.patch diff -Nru node-moment-2.20.1+ds/debian/rules node-moment-2.20.1+ds/debian/rules --- node-moment-2.20.1+ds/debian/rules 2017-12-20 08:53:34.000000000 +0000 +++ node-moment-2.20.1+ds/debian/rules 2022-07-22 22:08:31.000000000 +0100 @@ -9,3 +9,6 @@ override_dh_auto_build: uglifyjs moment.js -o moment.min.js uglifyjs min/moment-with-locales.js -o min/moment-with-locales.min.js + +override_dh_auto_test: + debian/run_test_suite diff -Nru node-moment-2.20.1+ds/debian/run_test_suite node-moment-2.20.1+ds/debian/run_test_suite --- node-moment-2.20.1+ds/debian/run_test_suite 1970-01-01 01:00:00.000000000 +0100 +++ node-moment-2.20.1+ds/debian/run_test_suite 2022-07-22 22:08:31.000000000 +0100 @@ -0,0 +1,4 @@ +#!/bin/sh -e +sed -Ei '1ivar QUnit = require("/usr/share/javascript/qunit/qunit.js");' min/tests.js +node min/tests.js +sed -Ei 1d min/tests.js