Bug#990374: unblock: node-color-string/1.5.4-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-color-string
[ Reason ]
node-color-string is vulnerable to a Regex Denial of Service (ReDoS)
reported in CVE-2021-29060
[ Impact ]
Little vulnerability
[ Tests ]
No change in tests, passed
[ Risks ]
Patch is trivial, no risk IMO
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-color-string/1.5.4-2
diff --git a/debian/changelog b/debian/changelog
index 299dfc1..d80a103 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-color-string (1.5.4-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Fix Regex Denial of Service (Closes: CVE-2021-29060)
+
+ -- Yadd <yadd@debian.org> Sun, 27 Jun 2021 18:12:06 +0200
+
node-color-string (1.5.4-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-29060.patch b/debian/patches/CVE-2021-29060.patch
new file mode 100644
index 0000000..69bf300
--- /dev/null
+++ b/debian/patches/CVE-2021-29060.patch
@@ -0,0 +1,48 @@
+Description: fix ReDos in hwb() parser (low-severity)
+ .
+ Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
+ .
+ A ReDos (Regular Expression Denial of Service) vulnerability
+ was responsibly disclosed to me via email by Colin on
+ Mar 5 2021 regarding an exponential time complexity for
+ linearly increasing input lengths for `hwb()` color strings.
+ .
+ Strings reaching more than 5000 characters would see several
+ milliseconds of processing time; strings reaching more than
+ 50,000 characters began seeing 1500ms (1.5s) of processing time.
+ .
+ The cause was due to a the regular expression that parses
+ hwb() strings - specifically, the hue value - where
+ the integer portion of the hue value used a 0-or-more quantifier
+ shortly thereafter followed by a 1-or-more quantifier.
+ .
+ This caused excessive backtracking and a cartesian scan,
+ resulting in exponential time complexity given a linear
+ increase in input length.
+Author: Josh Junon <junon@wavetilt.com>
+Origin: upstream, https://github.com/Qix-/color-string/commit/0789e212
+Bug: https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-27
+
+--- a/index.js
++++ b/index.js
+@@ -129,7 +129,7 @@
+ return null;
+ }
+
+- var hsl = /^hsla?\(\s*([+-]?(?:\d*\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
++ var hsl = /^hsla?\(\s*([+-]?(?:\d{0,3}\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
+ var match = string.match(hsl);
+
+ if (match) {
+@@ -150,7 +150,7 @@
+ return null;
+ }
+
+- var hwb = /^hwb\(\s*([+-]?\d*[\.]?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
++ var hwb = /^hwb\(\s*([+-]?\d{0,3}(?:\.\d+)?)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
+ var match = string.match(hwb);
+
+ if (match) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..543b76a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-29060.patch
diff --git a/debian/watch b/debian/watch
index dc974c3..ad5d207 100644
--- a/debian/watch
+++ b/debian/watch
@@ -2,7 +2,7 @@ version=4
opts=\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-color-string-$1.tar.gz/ \
- https://github.com/qix-/color-string/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/qix-/color-string/tags .*/archive/.*/v?([\d\.]+).tar.gz
# It is not recommended use npmregistry. Please investigate more.
# Take a look at https://wiki.debian.org/debian/watch/
Reply to: