Bug#987767: unblock: node-postcss/8.2.1+~cs5.3.23-8
Le 29/04/2021 à 10:32, Yadd a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: pkg-javascript-devel@lists.alioth.debian.org
>
> Please unblock package node-postcss
>
> [ Reason ]
> node-postcss is vulnerable to a Regex Denial of Service (ReDoS)
>
> [ Impact ]
> Medium vulnerability
>
> [ Tests ]
> I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE
> prove of concepts
>
> [ Risks ]
> No risk, this is just a regex improvement.
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> Cheers,
> Yadd
>
> unblock node-postcss/8.2.1+~cs5.3.23-7
I added a missing `set -e` in security test. autopkgtest works fine with
my patch and fail without.
Cheers,
Yadd
unblock node-postcss/8.2.1+~cs5.3.23-8
diff --git a/debian/changelog b/debian/changelog
index f7ffc04..cf21277 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+node-postcss (8.2.1+~cs5.3.23-8) unstable; urgency=medium
+
+ * Team upload
+ * Add missing `set -e` in security test
+
+ -- Yadd <yadd@debian.org> Thu, 29 Apr 2021 10:44:29 +0200
+
+node-postcss (8.2.1+~cs5.3.23-7) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-23382)
+ * Add autopkgtest files for CVE-2021-23368 and CVE-2021-23382
+
+ -- Yadd <yadd@debian.org> Thu, 29 Apr 2021 10:24:48 +0200
+
node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-23382.patch b/debian/patches/CVE-2021-23382.patch
new file mode 100644
index 0000000..a953851
--- /dev/null
+++ b/debian/patches/CVE-2021-23382.patch
@@ -0,0 +1,25 @@
+Description: Fix ReDoS in previous-map
+Author: Yeting Li <liyt@ios.ac.cn>
+Origin: upstream, https://github.com/postcss/postcss/commit/2ad1ca9b
+Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-29
+
+--- a/lib/previous-map.js
++++ b/lib/previous-map.js
+@@ -49,12 +49,12 @@
+
+ getAnnotationURL (sourceMapString) {
+ return sourceMapString
+- .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1]
++ .match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1]
+ .trim()
+ }
+
+ loadAnnotation (css) {
+- let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
++ let annotations = css.match(/\/\*\s*# sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm)
+
+ if (annotations && annotations.length > 0) {
+ // Locate the last sourceMappingURL to avoid picking up
diff --git a/debian/patches/series b/debian/patches/series
index 1be7968..2e873a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2021-23368.patch
+CVE-2021-23382.patch
diff --git a/debian/tests/CVE-2021-23368.js b/debian/tests/CVE-2021-23368.js
new file mode 100644
index 0000000..1a8b09c
--- /dev/null
+++ b/debian/tests/CVE-2021-23368.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+ var ret = "a{}/*# sourceMappingURL="
+ for (var i = 0; i < n; i++) {
+ ret += " "
+ }
+ return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 500000; i++) {
+ if (i % 10000 == 0) {
+ var time = Date.now();
+ var attack_str = build_attack(i)
+ try{
+ postcss.parse(attack_str)
+ var time_cost = Date.now() - time;
+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+ }
+ catch(e){
+ var time_cost = Date.now() - time;
+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+ }
+ }
+ if(Date.now() - time > 10000) {
+ console.error('Vulnerable to CVE-2021-23368');
+ process.exit(1);
+ }
+}
diff --git a/debian/tests/CVE-2021-23382.js b/debian/tests/CVE-2021-23382.js
new file mode 100644
index 0000000..c891279
--- /dev/null
+++ b/debian/tests/CVE-2021-23382.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+ var ret = "a{}"
+ for (var i = 0; i < n; i++) {
+ ret += "/*# sourceMappingURL="
+ }
+ return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 500000; i++) {
+ if (i % 1000 == 0) {
+ var time = Date.now();
+ var attack_str = build_attack(i)
+ try{
+ postcss.parse(attack_str)
+ var time_cost = Date.now() - time;
+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+ }
+ catch(e){
+ var time_cost = Date.now() - time;
+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+ }
+ }
+ if(Date.now() - time > 10000) {
+ console.error('Vulnerable to CVE-2021-23368');
+ process.exit(1);
+ }
+}
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..40ea2e2
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: security
+Depends: @
diff --git a/debian/tests/security b/debian/tests/security
new file mode 100755
index 0000000..3e43248
--- /dev/null
+++ b/debian/tests/security
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -e
+
+node ./debian/tests/CVE-2021-23368.js
+node ./debian/tests/CVE-2021-23382.js
Reply to: