Bug#990374: marked as done (unblock: node-color-string/1.5.4-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 29 Jun 2021 21:04:34 +0200
with message-id <YNtuwiewWI4WlK00@ramacher.at>
and subject line Re: Bug#990374: unblock: node-color-string/1.5.4-2
has caused the Debian Bug report #990374,
regarding unblock: node-color-string/1.5.4-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990374: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990374
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: node-color-string/1.5.4-2
• From: Yadd <yadd@debian.org>
• Date: Sun, 27 Jun 2021 19:17:01 +0200
• Message-id: <[🔎] 162481422138.467567.662649383424531092.reportbug@deb007.xnr.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-color-string

[ Reason ]
node-color-string is vulnerable to a Regex Denial of Service (ReDoS)
reported in CVE-2021-29060

[ Impact ]
Little vulnerability

[ Tests ]
No change in tests, passed

[ Risks ]
Patch is trivial, no risk IMO

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-color-string/1.5.4-2

diff --git a/debian/changelog b/debian/changelog
index 299dfc1..d80a103 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-color-string (1.5.4-2) unstable; urgency=medium
+
+  * Team upload
+  * Fix GitHub tags regex
+  * Fix Regex Denial of Service (Closes: CVE-2021-29060)
+
+ -- Yadd <yadd@debian.org>  Sun, 27 Jun 2021 18:12:06 +0200
+
 node-color-string (1.5.4-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-29060.patch b/debian/patches/CVE-2021-29060.patch
new file mode 100644
index 0000000..69bf300
--- /dev/null
+++ b/debian/patches/CVE-2021-29060.patch
@@ -0,0 +1,48 @@
+Description: fix ReDos in hwb() parser (low-severity)
+ .
+ Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
+ .
+ A ReDos (Regular Expression Denial of Service) vulnerability
+ was responsibly disclosed to me via email by Colin on
+ Mar 5 2021 regarding an exponential time complexity for
+ linearly increasing input lengths for `hwb()` color strings.
+ .
+ Strings reaching more than 5000 characters would see several
+ milliseconds of processing time; strings reaching more than
+ 50,000 characters began seeing 1500ms (1.5s) of processing time.
+ .
+ The cause was due to a the regular expression that parses
+ hwb() strings - specifically, the hue value - where
+ the integer portion of the hue value used a 0-or-more quantifier
+ shortly thereafter followed by a 1-or-more quantifier.
+ .
+ This caused excessive backtracking and a cartesian scan,
+ resulting in exponential time complexity given a linear
+ increase in input length.
+Author: Josh Junon <junon@wavetilt.com>
+Origin: upstream, https://github.com/Qix-/color-string/commit/0789e212
+Bug: https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-27
+
+--- a/index.js
++++ b/index.js
+@@ -129,7 +129,7 @@
+ 		return null;
+ 	}
+ 
+-	var hsl = /^hsla?\(\s*([+-]?(?:\d*\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
++	var hsl = /^hsla?\(\s*([+-]?(?:\d{0,3}\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
+ 	var match = string.match(hsl);
+ 
+ 	if (match) {
+@@ -150,7 +150,7 @@
+ 		return null;
+ 	}
+ 
+-	var hwb = /^hwb\(\s*([+-]?\d*[\.]?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
++	var hwb = /^hwb\(\s*([+-]?\d{0,3}(?:\.\d+)?)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
+ 	var match = string.match(hwb);
+ 
+ 	if (match) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..543b76a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-29060.patch
diff --git a/debian/watch b/debian/watch
index dc974c3..ad5d207 100644
--- a/debian/watch
+++ b/debian/watch
@@ -2,7 +2,7 @@ version=4
 opts=\
 dversionmangle=auto,\
 filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-color-string-$1.tar.gz/ \
- https://github.com/qix-/color-string/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/qix-/color-string/tags .*/archive/.*/v?([\d\.]+).tar.gz
 
 # It is not recommended use npmregistry. Please investigate more.
 # Take a look at https://wiki.debian.org/debian/watch/

--- End Message ---

--- Begin Message ---

• To: Yadd <yadd@debian.org>, 990374-done@bugs.debian.org
• Subject: Re: Bug#990374: unblock: node-color-string/1.5.4-2
• From: Sebastian Ramacher <sramacher@debian.org>
• Date: Tue, 29 Jun 2021 21:04:34 +0200
• Message-id: <YNtuwiewWI4WlK00@ramacher.at>
• In-reply-to: <[🔎] 162481422138.467567.662649383424531092.reportbug@deb007.xnr.fr>
• References: <[🔎] 162481422138.467567.662649383424531092.reportbug@deb007.xnr.fr>

On 2021-06-27 19:17:01 +0200, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-color-string
> 
> [ Reason ]
> node-color-string is vulnerable to a Regex Denial of Service (ReDoS)
> reported in CVE-2021-29060
> 
> [ Impact ]
> Little vulnerability
> 
> [ Tests ]
> No change in tests, passed
> 
> [ Risks ]
> Patch is trivial, no risk IMO
> 
> [ Checklist ]
>   [X] all changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in testing

This package will migrate without an action from our side. In any case,
I've aged it since it contains a security fix.

Cheers

> 
> Cheers,
> Yadd
> 
> unblock node-color-string/1.5.4-2

> diff --git a/debian/changelog b/debian/changelog
> index 299dfc1..d80a103 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +node-color-string (1.5.4-2) unstable; urgency=medium
> +
> +  * Team upload
> +  * Fix GitHub tags regex
> +  * Fix Regex Denial of Service (Closes: CVE-2021-29060)
> +
> + -- Yadd <yadd@debian.org>  Sun, 27 Jun 2021 18:12:06 +0200
> +
>  node-color-string (1.5.4-1) unstable; urgency=medium
>  
>    * Team upload
> diff --git a/debian/patches/CVE-2021-29060.patch b/debian/patches/CVE-2021-29060.patch
> new file mode 100644
> index 0000000..69bf300
> --- /dev/null
> +++ b/debian/patches/CVE-2021-29060.patch
> @@ -0,0 +1,48 @@
> +Description: fix ReDos in hwb() parser (low-severity)
> + .
> + Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
> + .
> + A ReDos (Regular Expression Denial of Service) vulnerability
> + was responsibly disclosed to me via email by Colin on
> + Mar 5 2021 regarding an exponential time complexity for
> + linearly increasing input lengths for `hwb()` color strings.
> + .
> + Strings reaching more than 5000 characters would see several
> + milliseconds of processing time; strings reaching more than
> + 50,000 characters began seeing 1500ms (1.5s) of processing time.
> + .
> + The cause was due to a the regular expression that parses
> + hwb() strings - specifically, the hue value - where
> + the integer portion of the hue value used a 0-or-more quantifier
> + shortly thereafter followed by a 1-or-more quantifier.
> + .
> + This caused excessive backtracking and a cartesian scan,
> + resulting in exponential time complexity given a linear
> + increase in input length.
> +Author: Josh Junon <junon@wavetilt.com>
> +Origin: upstream, https://github.com/Qix-/color-string/commit/0789e212
> +Bug: https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
> +Forwarded: not-needed
> +Reviewed-By: Yadd <yadd@debian.org>
> +Last-Update: 2021-06-27
> +
> +--- a/index.js
> ++++ b/index.js
> +@@ -129,7 +129,7 @@
> + 		return null;
> + 	}
> + 
> +-	var hsl = /^hsla?\(\s*([+-]?(?:\d*\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
> ++	var hsl = /^hsla?\(\s*([+-]?(?:\d{0,3}\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
> + 	var match = string.match(hsl);
> + 
> + 	if (match) {
> +@@ -150,7 +150,7 @@
> + 		return null;
> + 	}
> + 
> +-	var hwb = /^hwb\(\s*([+-]?\d*[\.]?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
> ++	var hwb = /^hwb\(\s*([+-]?\d{0,3}(?:\.\d+)?)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
> + 	var match = string.match(hwb);
> + 
> + 	if (match) {
> diff --git a/debian/patches/series b/debian/patches/series
> new file mode 100644
> index 0000000..543b76a
> --- /dev/null
> +++ b/debian/patches/series
> @@ -0,0 +1 @@
> +CVE-2021-29060.patch
> diff --git a/debian/watch b/debian/watch
> index dc974c3..ad5d207 100644
> --- a/debian/watch
> +++ b/debian/watch
> @@ -2,7 +2,7 @@ version=4
>  opts=\
>  dversionmangle=auto,\
>  filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-color-string-$1.tar.gz/ \
> - https://github.com/qix-/color-string/tags .*/archive/v?([\d\.]+).tar.gz
> + https://github.com/qix-/color-string/tags .*/archive/.*/v?([\d\.]+).tar.gz
>  
>  # It is not recommended use npmregistry. Please investigate more.
>  # Take a look at https://wiki.debian.org/debian/watch/


-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

--- End Message ---