Bug#986976: unblock: node-postcss/8.2.1+~cs5.3.23-6

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#986976: unblock: node-postcss/8.2.1+~cs5.3.23-6
From: Yadd <yadd@debian.org>
Date: Wed, 14 Apr 2021 21:58:07 +0200
Message-id: <[🔎] 161843028701.2858184.5673503056069154370.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 986976@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-postcss

[ Reason ]
node-postcss is vulnerable to de RegExp Denial of Service during source
map parsing (CVE-2021-23368)

[ Impact ]
Medium vulnerability

[ Tests ]
Upstream tests were disabled due to missing ts-jest. Now, it is packaged
then if release team agree, I can enable them (not done here to minimize
diff). Note that current autopkgtest should be tagged as "superficial".

Launched locally, tests pass with and without this fix.

[ Risks ]
The change in regexps consists to not allow optional whitespaces (there
are never whitespaces in normal source maps)

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock node-postcss/8.2.1+~cs5.3.23-6

diff --git a/debian/changelog b/debian/changelog
index 9dba3f7..f7ffc04 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium
+
+  * Team upload
+  * Fix ReDoS vulnerability (Closes: CVE-2021-23368)
+
+ -- Yadd <yadd@debian.org>  Wed, 14 Apr 2021 21:43:54 +0200
+
 node-postcss (8.2.1+~cs5.3.23-5) unstable; urgency=medium
 
   * Update Breaks: node-css-loader (<< 5.0.1+~cs14.0.5-1~)
diff --git a/debian/patches/CVE-2021-23368.patch b/debian/patches/CVE-2021-23368.patch
new file mode 100644
index 0000000..90351b3
--- /dev/null
+++ b/debian/patches/CVE-2021-23368.patch
@@ -0,0 +1,27 @@
+Description: fix unsafe regexp
+Author: Andrey Sitnik <andrey@sitnik.ru>
+Origin: upstream,
+ https://github.com/postcss/postcss/commit/8682b1e4
+ https://github.com/postcss/postcss/commit/b6f3e4d5
+Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-14
+
+--- a/lib/previous-map.js
++++ b/lib/previous-map.js
+@@ -49,12 +49,12 @@
+ 
+   getAnnotationURL (sourceMapString) {
+     return sourceMapString
+-      .match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)[1]
++      .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1]
+       .trim()
+   }
+ 
+   loadAnnotation (css) {
+-    let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\s*\*\//gm)
++    let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
+ 
+     if (annotations && annotations.length > 0) {
+       // Locate the last sourceMappingURL to avoid picking up
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1be7968
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23368.patch

Reply to:

Follow-Ups:
- Bug#986976: marked as done (unblock: node-postcss/8.2.1+~cs5.3.23-6)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#986618: unblock: zfs-linux/2.0.3-6
Next by Date: Bug#985541: marked as done (unblock: dtkcore/5.2.2.5-3)
Previous by thread: Processed: tagging 986771
Next by thread: Bug#986976: marked as done (unblock: node-postcss/8.2.1+~cs5.3.23-6)
Index(es):
- Date
- Thread