Bug 1552148

Summary: nodejs-diff: Regular expression denial-of-service
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: tchollingsworth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-diff 3.5.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:16:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1552149, 1552150, 1552151    
Bug Blocks:    

Description Andrej Nemec 2018-03-06 15:23:21 UTC 
It was found that affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. This can cause an impact of about 10 seconds matching time for data 48K characters long.

References:

https://snyk.io/vuln/npm:diff:20180305

Upstream patch:

https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0
Comment 1 Andrej Nemec 2018-03-06 15:23:39 UTC 
Created nodejs-diff tracking bugs for this issue:

Affects: fedora-all [bug 1552150]
Affects: epel-all [bug 1552149]