Bug 989995 (CVE-2016-1000023)

Summary: VUL-1: CVE-2016-1000023: nodejs: Regular expression denial-of-service
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Jordi Massaguer <jmassaguerpla>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: qantas94heavy, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/170967/
Whiteboard: CVSSv2:RedHat:CVE-2016-1000023:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:SUSE:CVE-2016-1000023:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-07-21 13:00:30 UTC
rh#1348509

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against //.

Fix: https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1348509
https://nodesecurity.io/advisories/118
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000023
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1000023.html
Comment 1 Swamp Workflow Management 2016-07-21 22:01:16 UTC
bugbot adjusting priority
Comment 2 Jordi Massaguer 2016-07-22 14:13:22 UTC
I've asked upstream for an update

https://github.com/nodejs/node/issues/7836
Comment 3 Jordi Massaguer 2016-07-22 14:24:29 UTC
answer from upstream (nodejs)

"Note that the impact of this in npm bundled with Node.js is negligible — that one is used only for package management, not as a library, and there is entirely no need for a malicious package to even bother with something like ReDOS."

So I guess we can just wait for an upstream update given this should have a lower priority, right?
Comment 4 Johannes Segitz 2016-07-25 09:56:15 UTC
(In reply to Jordi Massaguer from comment #3)
yes, it's already tagged as VUL-1, so we'll just include it into the next update
Comment 5 Karl Cheng 2017-03-17 07:39:08 UTC
All current npm packages now have minimatch 3.0.3, which includes the fix for this bug.