[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990688: unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,yadd@debian.org

Hi Release team,

Please unblock package node-mermaid

Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a
targetted fix from upstream. Can you please unlbock the package and
make sure it lands in testing and so bullseye in time before the
release?

I'm attaching the debdiff as generated by the upload from Yadd.

Regards,
Salvatore

diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog	2020-10-19 14:00:00.000000000 +0200
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog	2021-06-29 14:46:20.000000000 +0200
@@ -1,3 +1,10 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
+
+  * Team upload
+  * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513)
+
+ -- Yadd <yadd@debian.org>  Tue, 29 Jun 2021 14:46:20 +0200
+
 node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium
 
   * Source-only-upload 
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch	2021-06-29 14:44:46.000000000 +0200
@@ -0,0 +1,33 @@
+Description: Small positoining fix for parallell processes and nested
+Author: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com>
+Origin: upstream, https://github.com/mermaid-js/mermaid/pull/2123/files
+Bug: https://github.com/mermaid-js/mermaid/issues/2122
+Bug-Debian: https://bugs.debian.org/990449
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-29
+
+--- a/src/dagre-wrapper/clusters.js
++++ b/src/dagre-wrapper/clusters.js
+@@ -194,7 +194,7 @@
+   const rectBox = rect.node().getBBox();
+   node.width = rectBox.width;
+   node.height = rectBox.height;
+-
++  node.diff = -node.padding / 2;
+   node.intersect = function(point) {
+     return intersectRect(node, point);
+   };
+--- a/src/diagrams/common/common.js
++++ b/src/diagrams/common/common.js
+@@ -26,6 +26,10 @@
+       break;
+     }
+   }
++
++  rs = rs.replace('javascript:', '#');
++  rs = rs.replace('<iframe', '');
++
+   return rs;
+ };
+ 
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series	2020-10-19 14:00:00.000000000 +0200
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series	2021-06-29 14:41:58.000000000 +0200
@@ -1,2 +1,3 @@
 0002-Fix-unsupported-syntax.patch
 0003-Replace-moment-mini-with-moment.patch
+CVE-2021-35513.patch
Reply to: