Bug 1348509 (CVE-2016-1000023) - CVE-2016-1000023 nodejs-minimatch: Regular expression denial-of-service
Summary: CVE-2016-1000023 nodejs-minimatch: Regular expression denial-of-service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-1000023
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1348511 1348512 1352697 1352702 1353805 1355781 1359188 1359189
Blocks: 1348515
TreeView+ depends on / blocked
 
Reported: 2016-06-21 10:55 UTC by Andrej Nemec
Modified: 2021-02-17 03:41 UTC (History)
16 users (show)

Fixed In Version: nodejs-minimatch 3.0.2
Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service flaw was found in Minimatch. An attacker able to make an application using Minimatch to perform matching using a specially crafted glob pattern could cause the application to consume an excessive amount of CPU.
Clone Of:
Environment:
Last Closed: 2016-09-15 19:51:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1582 0 normal SHIPPED_LIVE Moderate: nodejs010-nodejs-minimatch security update 2016-08-09 14:04:18 UTC
Red Hat Product Errata RHSA-2016:1583 0 normal SHIPPED_LIVE Moderate: rh-nodejs4-nodejs-minimatch security update 2016-08-09 14:02:23 UTC
Red Hat Product Errata RHSA-2016:1605 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise security update 2016-08-11 21:17:27 UTC

Description Andrej Nemec 2016-06-21 10:55:20 UTC
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against //.

External references:

https://nodesecurity.io/advisories/118

Comment 1 Andrej Nemec 2016-06-21 10:55:56 UTC
Created nodejs-minimatch tracking bugs for this issue:

Affects: fedora-all [bug 1348511]
Affects: epel-all [bug 1348512]

Comment 5 Tomas Hoger 2016-07-08 12:42:06 UTC
Upstream commit:

https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955

Change of the regex does not seem to make much difference, the pattern length restriction is needed to block this issue.

Comment 10 errata-xmlrpc 2016-08-09 10:04:36 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2016:1583 https://rhn.redhat.com/errata/RHSA-2016-1583.html

Comment 11 errata-xmlrpc 2016-08-09 10:04:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2016:1582 https://rhn.redhat.com/errata/RHSA-2016-1582.html

Comment 12 errata-xmlrpc 2016-08-11 17:18:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Enterprise 3.1

Via RHSA-2016:1605 https://access.redhat.com/errata/RHSA-2016:1605


Note You need to log in before you can comment on or make changes to this bug.