Hi, The debdiff for buster. Please review, will upload, after a while. ReDoS was checked by using (not yet packaged) rechek. Bastien
diff -Nru node-css-what-2.1.0/debian/changelog node-css-what-2.1.0/debian/changelog
--- node-css-what-2.1.0/debian/changelog 2016-02-05 20:41:17.000000000 +0000
+++ node-css-what-2.1.0/debian/changelog 2023-03-01 15:33:15.000000000 +0000
@@ -1,3 +1,15 @@
+node-css-what (2.1.0-1+deb10u1) buster-security; urgency=medium
+
+ * Team upload
+ * node-css-what was vulnerable to Regular Expression Denial of Service
+ (ReDoS) due to the usage of insecure regular expression in the
+ re_attr variable.
+ The exploitation of this vulnerability could be triggered
+ via the parse function.
+ Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188)
+
+ -- Bastien Roucariès <rouca@debian.org> Wed, 01 Mar 2023 15:33:15 +0000
+
node-css-what (2.1.0-1) unstable; urgency=medium
* new upstream version
diff -Nru node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
--- node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-2.1.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 2023-03-01 15:29:40.000000000 +0000
@@ -0,0 +1,37 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Wed, 1 Mar 2023 15:08:01 +0000
+Subject: Partial fix of reDos CVE-2022-21222/CVE-2021-33587: attribute
+ selector
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Per https://w3c.github.io/csswg-drafts/selectors/#attribute-selectors only = ~= |= ^= $= *= are supported.
+
+Add also != that is checked as invalid latter in order to pass testsuite.
+
+So replace \S by [~|^$*!]
+
+Signed-off-by: Bastien Roucariès <rouca@debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+Signed-off-by: Bastien Roucariès <rouca@debian.org>
+---
+ index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/index.js b/index.js
+index 859324c..d7105f9 100644
+--- a/index.js
++++ b/index.js
+@@ -5,7 +5,7 @@ module.exports = parse;
+ var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/,
+ re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig,
+ //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+- re_attr = /^\s*((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:(\S?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/;
++ re_attr = /^\s*((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/;
+
+ var actionTypes = {
+ __proto__: null,
diff -Nru node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
--- node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-2.1.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 2023-03-01 15:29:40.000000000 +0000
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Wed, 1 Mar 2023 15:15:20 +0000
+Subject: Partial fix of ReDos CVE-2022-21222/CVE-2021-33587: trim string
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Trim left the string avoiding a \s* at the beginning of the string, thus avoiding part of complexity.
+
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+Signed-off-by: Bastien Roucariès <rouca@debian.org>
+---
+ index.js | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/index.js b/index.js
+index d7105f9..1e7f145 100644
+--- a/index.js
++++ b/index.js
+@@ -5,7 +5,7 @@ module.exports = parse;
+ var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/,
+ re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig,
+ //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+- re_attr = /^\s*((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/;
++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/;
+
+ var actionTypes = {
+ __proto__: null,
+@@ -146,7 +146,10 @@ function parseSelector(subselects, selector, options){
+ ignoreCase: false
+ });
+ } else if(firstChar === "["){
+- selector = selector.substr(1);
++ selector = selector.substr(1);
++ var wspace = selector.match(/^\s*/);
++ var woffset = !wspace ? 0 : wspace[0].length;
++ selector = selector.substr(woffset);
+ data = selector.match(re_attr);
+ if(!data){
+ throw new SyntaxError("Malformed attribute selector: " + selector);
diff -Nru node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch
--- node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-2.1.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 2023-03-01 15:29:40.000000000 +0000
@@ -0,0 +1,31 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Wed, 1 Mar 2023 15:17:34 +0000
+Subject: Partial Fix of ReDos CVE-2022-21222/CVE-2021-33587: push inside
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Push \s* inside the group
+
+Signed-off-by: Bastien Roucariès <rouca@debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+---
+ index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/index.js b/index.js
+index 1e7f145..4c7d3a3 100644
+--- a/index.js
++++ b/index.js
+@@ -5,7 +5,7 @@ module.exports = parse;
+ var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/,
+ re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig,
+ //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+- re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)|)|)\s*(i)?\]/;
++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)\s*|)|)(i)?\]/;
+
+ var actionTypes = {
+ __proto__: null,
diff -Nru node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch
--- node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-2.1.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 2023-03-01 15:29:40.000000000 +0000
@@ -0,0 +1,32 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Wed, 1 Mar 2023 15:21:30 +0000
+Subject: Partial ReDoS fix CVE-2022-21222/CVE-2021-33587: avoid another
+ (a|a?)+
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Replace (#?(?:\\.|[\w\u00c0-\uFFFF\-])*) by (#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+)
+
+Signed-off-by: Bastien Roucariès <rouca@debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+---
+ index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/index.js b/index.js
+index 4c7d3a3..376c90d 100644
+--- a/index.js
++++ b/index.js
+@@ -5,7 +5,7 @@ module.exports = parse;
+ var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/,
+ re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig,
+ //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+- re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#?(?:\\.|[\w\u00c0-\uFFFF\-])*)\s*|)|)(i)?\]/;
++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+)\s*|)|)(i)?\]/;
+
+ var actionTypes = {
+ __proto__: null,
diff -Nru node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch
--- node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-2.1.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 2023-03-01 15:29:40.000000000 +0000
@@ -0,0 +1,33 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Wed, 1 Mar 2023 15:28:55 +0000
+Subject: Final ReDos Fix for CVE-2022-21222/CVE-2021-33587: whitespace fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Replace \s that could match whitespace in \u00b0-\uFFFF, by [ \t\n\r\f]* that is space according to css specification
+
+Upstream version 4.0.0 allowed to match indent name including non breakable UTF, keep this feature.
+
+Signed-off-by: Bastien Roucariès <rouca@debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+---
+ index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/index.js b/index.js
+index 376c90d..90511da 100644
+--- a/index.js
++++ b/index.js
+@@ -5,7 +5,7 @@ module.exports = parse;
+ var re_name = /^(?:\\.|[\w\-\u00c0-\uFFFF])+/,
+ re_escape = /\\([\da-f]{1,6}\s?|(\s)|.)/ig,
+ //modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+- re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])(.*?)\3\s*|(#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+)\s*|)|)(i)?\]/;
++ re_attr = /^((?:\\.|[\w\u00c0-\uFFFF\-])+)[ \t\n\r\f]*(?:([~|^$*!]?)=[ \t\n\r\f]*(?:(['"])(.*?)\3[ \t\n\r\f]*|(#(?:\\.|[\w\u00c0-\uFFFF\-])*|(?:\\.|[\w\u00c0-\uFFFF\-])+)[ \t\n\r\f]*|)|)(i)?\]/;
+
+ var actionTypes = {
+ __proto__: null,
diff -Nru node-css-what-2.1.0/debian/patches/series node-css-what-2.1.0/debian/patches/series
--- node-css-what-2.1.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-2.1.0/debian/patches/series 2023-03-01 15:29:40.000000000 +0000
@@ -0,0 +1,5 @@
+0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
+0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
+0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch
+0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch
+0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch
Attachment:
signature.asc
Description: This is a digitally signed message part.