Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-prismjs is vulnerable to a Regex Denial of Service (ReDoS) (CVE-2021-40438) [ Impact ] Little vulnerability [ Tests ] No test change, passed. [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Regex improvement Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index c23771a..1d96c58 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-prismjs (1.11.0+dfsg-3+deb10u1) buster; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-40438) + + -- Yadd <y...@debian.org> Tue, 21 Sep 2021 14:52:58 +0200 + node-prismjs (1.11.0+dfsg-3) unstable; urgency=medium * Fix mocha command in autopkgtest diff --git a/debian/patches/CVE-2021-40438.patch b/debian/patches/CVE-2021-40438.patch new file mode 100644 index 0000000..2ec1d30 --- /dev/null +++ b/debian/patches/CVE-2021-40438.patch @@ -0,0 +1,17 @@ +Description: Markup: fixed ReDoS +Author: ready-research +Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb +Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-09-21 + +--- a/components/prism-markup.js ++++ b/components/prism-markup.js +@@ -1,5 +1,5 @@ + Prism.languages.markup = { +- 'comment': /<!--[\s\S]*?-->/, ++ 'comment': /<!--(?:(?!<!--)[\s\S])*?-->/, + 'prolog': /<\?[\s\S]+?\?>/, + 'doctype': /<!DOCTYPE[\s\S]+?>/i, + 'cdata': /<!\[CDATA\[[\s\S]*?]]>/i, diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..7c70d57 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-40438.patch
