Bugzilla – Bug 989995
VUL-1: CVE-2016-1000023: nodejs: Regular expression denial-of-service
Last modified: 2017-03-17 15:43:17 UTC
rh#1348509 Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against //. Fix: https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955 References: https://bugzilla.redhat.com/show_bug.cgi?id=1348509 https://nodesecurity.io/advisories/118 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000023 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1000023.html
bugbot adjusting priority
I've asked upstream for an update https://github.com/nodejs/node/issues/7836
answer from upstream (nodejs) "Note that the impact of this in npm bundled with Node.js is negligible — that one is used only for package management, not as a library, and there is entirely no need for a malicious package to even bother with something like ReDOS." So I guess we can just wait for an upstream update given this should have a lower priority, right?
(In reply to Jordi Massaguer from comment #3) yes, it's already tagged as VUL-1, so we'll just include it into the next update
All current npm packages now have minimatch 3.0.3, which includes the fix for this bug.