--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package node-prismjs/1.11.0+dfsg-3+deb10u1
- From: Yadd <yadd@debian.org>
- Date: Tue, 21 Sep 2021 14:56:12 +0200
- Message-id: <163222897292.690854.16371407126524244900.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-prismjs is vulnerable to a Regex Denial of Service (ReDoS)
(CVE-2021-40438)
[ Impact ]
Little vulnerability
[ Tests ]
No test change, passed.
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex improvement
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index c23771a..1d96c58 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-prismjs (1.11.0+dfsg-3+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-40438)
+
+ -- Yadd <yadd@debian.org> Tue, 21 Sep 2021 14:52:58 +0200
+
node-prismjs (1.11.0+dfsg-3) unstable; urgency=medium
* Fix mocha command in autopkgtest
diff --git a/debian/patches/CVE-2021-40438.patch b/debian/patches/CVE-2021-40438.patch
new file mode 100644
index 0000000..2ec1d30
--- /dev/null
+++ b/debian/patches/CVE-2021-40438.patch
@@ -0,0 +1,17 @@
+Description: Markup: fixed ReDoS
+Author: ready-research
+Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-09-21
+
+--- a/components/prism-markup.js
++++ b/components/prism-markup.js
+@@ -1,5 +1,5 @@
+ Prism.languages.markup = {
+- 'comment': /<!--[\s\S]*?-->/,
++ 'comment': /<!--(?:(?!<!--)[\s\S])*?-->/,
+ 'prolog': /<\?[\s\S]+?\?>/,
+ 'doctype': /<!DOCTYPE[\s\S]+?>/i,
+ 'cdata': /<!\[CDATA\[[\s\S]*?]]>/i,
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..7c70d57
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-40438.patch
--- End Message ---