Hi, The debdiff for buster. Please review, will upload, after a while. ReDoS was checked by using (not yet packaged) rechek. Bastien
diff -Nru node-css-what-2.1.0/debian/changelog node-css-what-2.1.0/debian/changelog --- node-css-what-2.1.0/debian/changelog 2016-02-05 20:41:17.000000000 +0000 +++ node-css-what-2.1.0/debian/changelog 2023-03-01 15:33:15.000000000 +0000 @@ -1,3 +1,15 @@ +node-css-what (2.1.0-1+deb10u1) buster-security; urgency=medium + + * Team upload + * node-css-what was vulnerable to Regular Expression Denial of Service + (ReDoS) due to the usage of insecure regular expression in the + re_attr variable. + The exploitation of this vulnerability could be triggered + via the parse function. + Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188) + + -- Bastien Roucariès <rouca@debian.org> Wed, 01 Mar 2023 15:33:15 +0000 + node-css-what (2.1.0-1) unstable; urgency=medium * new upstream version diff -Nru node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch --- node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 2023-03-01 15:29:40.000000000 +0000 @@ -0,0 +1,37 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> +Date: Wed, 1 Mar 2023 15:08:01 +0000 +Subject: Partial fix of reDos CVE-2022-21222/CVE-2021-33587: attribute + selector +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Per https://w3c.github.io/csswg-drafts/selectors/#attribute-selectors only = ~= |= ^= $= *= are supported. + +Add also != that is checked as invalid latter in order to pass testsuite. + +So replace \S by [~|^$*!] + +Signed-off-by: Bastien Roucariès <rouca@debian.org> +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +Signed-off-by: Bastien Roucariès <rouca@debian.org> +--- + index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/index.js b/index.js +index 859324c..d7105f9 100644 +--- a/index.js ++++ b/index.js +@@ -5,7 +5,7 @@ module.exports = parse; + var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/, + re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig, + //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +- re_attr = /^\s*((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:(\S?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/; ++ re_attr = /^\s*((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/; + + var actionTypes = { + __proto__: null, diff -Nru node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch --- node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 2023-03-01 15:29:40.000000000 +0000 @@ -0,0 +1,43 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> +Date: Wed, 1 Mar 2023 15:15:20 +0000 +Subject: Partial fix of ReDos CVE-2022-21222/CVE-2021-33587: trim string +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Trim left the string avoiding a \s* at the beginning of the string, thus avoiding part of complexity. + +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +Signed-off-by: Bastien Roucariès <rouca@debian.org> +--- + index.js | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/index.js b/index.js +index d7105f9..1e7f145 100644 +--- a/index.js ++++ b/index.js +@@ -5,7 +5,7 @@ module.exports = parse; + var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/, + re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig, + //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +- re_attr = /^\s*((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/; ++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/; + + var actionTypes = { + __proto__: null, +@@ -146,7 +146,10 @@ function parseSelector(subselects, selector, options){ + ignoreCase: false + }); + } else if(firstChar === "["){ +- selector = selector.substr(1); ++ selector = selector.substr(1); ++ var wspace = selector.match(/^\s*/); ++ var woffset = !wspace ? 0 : wspace[0].length; ++ selector = selector.substr(woffset); + data = selector.match(re_attr); + if(!data){ + throw new SyntaxError("Malformed attribute selector: " + selector); diff -Nru node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch --- node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 2023-03-01 15:29:40.000000000 +0000 @@ -0,0 +1,31 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> +Date: Wed, 1 Mar 2023 15:17:34 +0000 +Subject: Partial Fix of ReDos CVE-2022-21222/CVE-2021-33587: push inside +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Push \s* inside the group + +Signed-off-by: Bastien Roucariès <rouca@debian.org> +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +--- + index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/index.js b/index.js +index 1e7f145..4c7d3a3 100644 +--- a/index.js ++++ b/index.js +@@ -5,7 +5,7 @@ module.exports = parse; + var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/, + re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig, + //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +- re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/; ++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)\s*|)|)(i)?\]/; + + var actionTypes = { + __proto__: null, diff -Nru node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch --- node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 2023-03-01 15:29:40.000000000 +0000 @@ -0,0 +1,32 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> +Date: Wed, 1 Mar 2023 15:21:30 +0000 +Subject: Partial ReDoS fix CVE-2022-21222/CVE-2021-33587: avoid another + (a|a?)+ +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Replace (#?(?:\\.|[\w\u00c0-\uFFFF\-])*) by (#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+) + +Signed-off-by: Bastien Roucariès <rouca@debian.org> +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +--- + index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/index.js b/index.js +index 4c7d3a3..376c90d 100644 +--- a/index.js ++++ b/index.js +@@ -5,7 +5,7 @@ module.exports = parse; + var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/, + re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig, + //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +- re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)\s*|)|)(i)?\]/; ++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+)\s*|)|)(i)?\]/; + + var actionTypes = { + __proto__: null, diff -Nru node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch --- node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 2023-03-01 15:29:40.000000000 +0000 @@ -0,0 +1,33 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org> +Date: Wed, 1 Mar 2023 15:28:55 +0000 +Subject: Final ReDos Fix for CVE-2022-21222/CVE-2021-33587: whitespace fix +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Replace \s that could match whitespace in \u00b0-\uFFFF, by [ \t\n\r\f]* that is space according to css specification + +Upstream version 4.0.0 allowed to match indent name including non breakable UTF, keep this feature. + +Signed-off-by: Bastien Roucariès <rouca@debian.org> +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +--- + index.js | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/index.js b/index.js +index 376c90d..90511da 100644 +--- a/index.js ++++ b/index.js +@@ -5,7 +5,7 @@ module.exports = parse; + var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/, + re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig, + //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +- re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+)\s*|)|)(i)?\]/; ++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)[ \t\n\r\f]*(?:([~|^$*!]?)=[ \t\n\r\f]*(?:(['"])(.*?)\3[ \t\n\r\f]*|(#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+)[ \t\n\r\f]*|)|)(i)?\]/; + + var actionTypes = { + __proto__: null, diff -Nru node-css-what-2.1.0/debian/patches/series node-css-what-2.1.0/debian/patches/series --- node-css-what-2.1.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-2.1.0/debian/patches/series 2023-03-01 15:29:40.000000000 +0000 @@ -0,0 +1,5 @@ +0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch +0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch +0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch +0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch +0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.