Bug 989995 - (CVE-2016-1000023) VUL-1: CVE-2016-1000023: nodejs: Regular expression denial-of-service
VUL-1: CVE-2016-1000023: nodejs: Regular expression denial-of-service
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Normal
: ---
Assigned To: Jordi Massaguer
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-07-21 13:00 UTC by Johannes Segitz
Modified: 2017-03-17 15:43 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-07-21 13:00:30 UTC

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against //.

Fix: https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955

Comment 1 Swamp Workflow Management 2016-07-21 22:01:16 UTC
bugbot adjusting priority
Comment 2 Jordi Massaguer 2016-07-22 14:13:22 UTC
I've asked upstream for an update

Comment 3 Jordi Massaguer 2016-07-22 14:24:29 UTC
answer from upstream (nodejs)

"Note that the impact of this in npm bundled with Node.js is negligible — that one is used only for package management, not as a library, and there is entirely no need for a malicious package to even bother with something like ReDOS."

So I guess we can just wait for an upstream update given this should have a lower priority, right?
Comment 4 Johannes Segitz 2016-07-25 09:56:15 UTC
(In reply to Jordi Massaguer from comment #3)
yes, it's already tagged as VUL-1, so we'll just include it into the next update
Comment 5 Karl Cheng 2017-03-17 07:39:08 UTC
All current npm packages now have minimatch 3.0.3, which includes the fix for this bug.