--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-postcss
[ Reason ]
node-postcss is vulnerable to de RegExp Denial of Service during source
map parsing (CVE-2021-23368)
[ Impact ]
Medium vulnerability
[ Tests ]
Upstream tests were disabled due to missing ts-jest. Now, it is packaged
then if release team agree, I can enable them (not done here to minimize
diff). Note that current autopkgtest should be tagged as "superficial".
Launched locally, tests pass with and without this fix.
[ Risks ]
The change in regexps consists to not allow optional whitespaces (there
are never whitespaces in normal source maps)
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock node-postcss/8.2.1+~cs5.3.23-6
diff --git a/debian/changelog b/debian/changelog
index 9dba3f7..f7ffc04 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS vulnerability (Closes: CVE-2021-23368)
+
+ -- Yadd <yadd@debian.org> Wed, 14 Apr 2021 21:43:54 +0200
+
node-postcss (8.2.1+~cs5.3.23-5) unstable; urgency=medium
* Update Breaks: node-css-loader (<< 5.0.1+~cs14.0.5-1~)
diff --git a/debian/patches/CVE-2021-23368.patch b/debian/patches/CVE-2021-23368.patch
new file mode 100644
index 0000000..90351b3
--- /dev/null
+++ b/debian/patches/CVE-2021-23368.patch
@@ -0,0 +1,27 @@
+Description: fix unsafe regexp
+Author: Andrey Sitnik <andrey@sitnik.ru>
+Origin: upstream,
+ https://github.com/postcss/postcss/commit/8682b1e4
+ https://github.com/postcss/postcss/commit/b6f3e4d5
+Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-14
+
+--- a/lib/previous-map.js
++++ b/lib/previous-map.js
+@@ -49,12 +49,12 @@
+
+ getAnnotationURL (sourceMapString) {
+ return sourceMapString
+- .match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)[1]
++ .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1]
+ .trim()
+ }
+
+ loadAnnotation (css) {
+- let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\s*\*\//gm)
++ let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
+
+ if (annotations && annotations.length > 0) {
+ // Locate the last sourceMappingURL to avoid picking up
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..1be7968
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23368.patch
--- End Message ---