Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-postcss [ Reason ] node-postcss is vulnerable to de RegExp Denial of Service during source map parsing (CVE-2021-23368) [ Impact ] Medium vulnerability [ Tests ] Upstream tests were disabled due to missing ts-jest. Now, it is packaged then if release team agree, I can enable them (not done here to minimize diff). Note that current autopkgtest should be tagged as "superficial". Launched locally, tests pass with and without this fix. [ Risks ] The change in regexps consists to not allow optional whitespaces (there are never whitespaces in normal source maps) [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock node-postcss/8.2.1+~cs5.3.23-6
diff --git a/debian/changelog b/debian/changelog index 9dba3f7..f7ffc04 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium + + * Team upload + * Fix ReDoS vulnerability (Closes: CVE-2021-23368) + + -- Yadd <y...@debian.org> Wed, 14 Apr 2021 21:43:54 +0200 + node-postcss (8.2.1+~cs5.3.23-5) unstable; urgency=medium * Update Breaks: node-css-loader (<< 5.0.1+~cs14.0.5-1~) diff --git a/debian/patches/CVE-2021-23368.patch b/debian/patches/CVE-2021-23368.patch new file mode 100644 index 0000000..90351b3 --- /dev/null +++ b/debian/patches/CVE-2021-23368.patch @@ -0,0 +1,27 @@ +Description: fix unsafe regexp +Author: Andrey Sitnik <and...@sitnik.ru> +Origin: upstream, + https://github.com/postcss/postcss/commit/8682b1e4 + https://github.com/postcss/postcss/commit/b6f3e4d5 +Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-04-14 + +--- a/lib/previous-map.js ++++ b/lib/previous-map.js +@@ -49,12 +49,12 @@ + + getAnnotationURL (sourceMapString) { + return sourceMapString +- .match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)[1] ++ .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1] + .trim() + } + + loadAnnotation (css) { +- let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\s*\*\//gm) ++ let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm) + + if (annotations && annotations.length > 0) { + // Locate the last sourceMappingURL to avoid picking up diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..1be7968 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-23368.patch