Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) is vulnerable to ReDoS in the pattern parameter. This is because of the regular expression on line 521 of minimatch.js: /((?:\\{2})*)(\\?)\|/g,. The problematic portion of the regex is ((?:\\{2})*) which matches against //. External references: https://nodesecurity.io/advisories/118
Created nodejs-minimatch tracking bugs for this issue: Affects: fedora-all [bug 1348511] Affects: epel-all [bug 1348512]
Upstream commit: https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955 Change of the regex does not seem to make much difference, the pattern length restriction is needed to block this issue.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2016:1583 https://rhn.redhat.com/errata/RHSA-2016-1583.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2016:1582 https://rhn.redhat.com/errata/RHSA-2016-1582.html
This issue has been addressed in the following products: Red Hat OpenShift Enterprise 3.2 Red Hat OpenShift Enterprise 3.1 Via RHSA-2016:1605 https://access.redhat.com/errata/RHSA-2016:1605