Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-prismjs is vulnerable to a Regex Denial of Service (ReDoS) (CVE-2021-40438) [ Impact ] Little vulnerability [ Tests ] No test change, passed. [ Risks ] No risk, patch is trvial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Regex improvement Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index f70003b..3ac8ca9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-40438) + + -- Yadd <y...@debian.org> Tue, 21 Sep 2021 14:45:33 +0200 + node-prismjs (1.23.0+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-40438.patch b/debian/patches/CVE-2021-40438.patch new file mode 100644 index 0000000..a0830ac --- /dev/null +++ b/debian/patches/CVE-2021-40438.patch @@ -0,0 +1,17 @@ +Description: Markup: fixed ReDoS +Author: ready-research +Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb +Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-09-21 + +--- a/components/prism-markup.js ++++ b/components/prism-markup.js +@@ -1,5 +1,5 @@ + Prism.languages.markup = { +- 'comment': /<!--[\s\S]*?-->/, ++ 'comment': /<!--(?:(?!<!--)[\s\S])*?-->/, + 'prolog': /<\?[\s\S]+?\?>/, + 'doctype': { + // https://www.w3.org/TR/xml/#NT-doctypedecl diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..7c70d57 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-40438.patch diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml index 33c3a64..6fd902a 100644 --- a/debian/salsa-ci.yml +++ b/debian/salsa-ci.yml @@ -1,4 +1,7 @@ --- +variables: + RELEASE: 'bullseye' + include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml