Bug#994828: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1

Tue, 21 Sep 2021 05:51:14 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

[ Reason ]
node-prismjs is vulnerable to a Regex Denial of Service (ReDoS)
(CVE-2021-40438)

[ Impact ]
Little vulnerability

[ Tests ]
No test change, passed.

[ Risks ]
No risk, patch is trvial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Regex improvement

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index f70003b..3ac8ca9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix ReDoS (Closes: CVE-2021-40438)
+
+ -- Yadd <y...@debian.org>  Tue, 21 Sep 2021 14:45:33 +0200
+
 node-prismjs (1.23.0+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-40438.patch 
b/debian/patches/CVE-2021-40438.patch
new file mode 100644
index 0000000..a0830ac
--- /dev/null
+++ b/debian/patches/CVE-2021-40438.patch
@@ -0,0 +1,17 @@
+Description: Markup: fixed ReDoS
+Author: ready-research
+Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2021-09-21
+
+--- a/components/prism-markup.js
++++ b/components/prism-markup.js
+@@ -1,5 +1,5 @@
+ Prism.languages.markup = {
+-      'comment': /<!--[\s\S]*?-->/,
++      'comment': /<!--(?:(?!<!--)[\s\S])*?-->/,
+       'prolog': /<\?[\s\S]+?\?>/,
+       'doctype': {
+               // https://www.w3.org/TR/xml/#NT-doctypedecl
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7c70d57
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-40438.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a64..6fd902a 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,4 +1,7 @@
 ---
+variables:
+  RELEASE: 'bullseye'
+
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - 
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

Reply via email to