Bug 1348509 (CVE-2016-1000023)

Summary: CVE-2016-1000023 nodejs-minimatch: Regular expression denial-of-service
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, hhorak, jialiu, jkeck, jokerman, jorton, kseifried, lmeyer, mmccomas, nodejs-sig, tchollingsworth, tdawson, thrcka, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-minimatch 3.0.2 Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service flaw was found in Minimatch. An attacker able to make an application using Minimatch to perform matching using a specially crafted glob pattern could cause the application to consume an excessive amount of CPU.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-15 19:51:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1348511, 1348512, 1352697, 1352702, 1353805, 1355781, 1359188, 1359189    
Bug Blocks: 1348515    

Description Andrej Nemec 2016-06-21 10:55:20 UTC 
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against //.

External references:

https://nodesecurity.io/advisories/118
Comment 1 Andrej Nemec 2016-06-21 10:55:56 UTC 
Created nodejs-minimatch tracking bugs for this issue:

Affects: fedora-all [bug 1348511]
Affects: epel-all [bug 1348512]
Comment 5 Tomas Hoger 2016-07-08 12:42:06 UTC 
Upstream commit:

https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955

Change of the regex does not seem to make much difference, the pattern length restriction is needed to block this issue.
Comment 10 errata-xmlrpc 2016-08-09 10:04:36 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2016:1583 https://rhn.redhat.com/errata/RHSA-2016-1583.html
Comment 11 errata-xmlrpc 2016-08-09 10:04:57 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2016:1582 https://rhn.redhat.com/errata/RHSA-2016-1582.html
Comment 12 errata-xmlrpc 2016-08-11 17:18:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Enterprise 3.1

Via RHSA-2016:1605 https://access.redhat.com/errata/RHSA-2016:1605