Bug#1003765: bullseye-pu: package node-markdown-it/10.0.0+dfsg-2+deb11u1

To: 1003765@bugs.debian.org
Subject: Bug#1003765: bullseye-pu: package node-markdown-it/10.0.0+dfsg-2+deb11u1
From: Yadd <yadd@debian.org>
Date: Sat, 15 Jan 2022 12:57:57 +0100
Message-id: <[🔎] 4fef3ec9-ff57-1d15-2639-44b1b6bc8a1f@debian.org>
Reply-to: Yadd <yadd@debian.org>, 1003765@bugs.debian.org
In-reply-to: <[🔎] 164224754012.1481694.10962099948878769963.reportbug@deb007.xnr.fr>
References: <[🔎] 164224754012.1481694.10962099948878769963.reportbug@deb007.xnr.fr> <[🔎] 164224754012.1481694.10962099948878769963.reportbug@deb007.xnr.fr>

On 15/01/2022 12:52, Yadd wrote:

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-markdown-it is vulnerable to regex denial of service
(CVE-2022-21670)

[ Impact ]
Little security issue

[ Tests ]
Test passed

[ Risks ]
Low risk, just a better check

[ Checklist ]
   [X] *all* changes are documented in the d/changelog
   [X] I reviewed all changes and I approve them
   [X] attach debdiff against the package in (old)stable
   [X] the issue is verified as fixed in unstable

[ Changes ]
Replace regex by substitute

Same patch applied to unstable.

Cheers,
Yadd


With the debdiff, sorry

diff --git a/debian/changelog b/debian/changelog
index 3f20b0f..1fa8e51 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-markdown-it (10.0.0+dfsg-2+deb11u1) bullseye; urgency=medium
+
+  * Fix ReDoS (Closes: CVE-2022-21670)
+
+ -- Yadd <yadd@debian.org>  Sat, 15 Jan 2022 12:48:26 +0100
+
 node-markdown-it (10.0.0+dfsg-2) unstable; urgency=medium
 
   * Team Upload
diff --git a/debian/patches/CVE-2022-21670.patch b/debian/patches/CVE-2022-21670.patch
new file mode 100644
index 0000000..e801f06
--- /dev/null
+++ b/debian/patches/CVE-2022-21670.patch
@@ -0,0 +1,32 @@
+Description: Fix possible ReDOS in newline rule
+Author: Vitaly Puzrin <vitaly@rcdesign.ru>
+Origin: upstream, https://github.com/markdown-it/markdown-it/commit/ffc49ab4
+Bug: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-01-15
+
+--- a/lib/rules_inline/newline.js
++++ b/lib/rules_inline/newline.js
+@@ -6,7 +6,7 @@
+ 
+ 
+ module.exports = function newline(state, silent) {
+-  var pmax, max, pos = state.pos;
++  var pmax, max, ws, pos = state.pos;
+ 
+   if (state.src.charCodeAt(pos) !== 0x0A/* \n */) { return false; }
+ 
+@@ -20,7 +20,11 @@
+   if (!silent) {
+     if (pmax >= 0 && state.pending.charCodeAt(pmax) === 0x20) {
+       if (pmax >= 1 && state.pending.charCodeAt(pmax - 1) === 0x20) {
+-        state.pending = state.pending.replace(/ +$/, '');
++        // Find whitespaces tail of pending chars.
++        ws = pmax - 1;
++        while (ws >= 1 && state.pending.charCodeAt(ws - 1) === 0x20) ws--;
++
++        state.pending = state.pending.slice(0, ws);
+         state.push('hardbreak', 'br', 0);
+       } else {
+         state.pending = state.pending.slice(0, -1);
diff --git a/debian/patches/series b/debian/patches/series
index 8c5fbef..3d7d982 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 update_shebang
 disable_babelmark-responder_test
+CVE-2022-21670.patch

Reply to:

References:
- Bug#1003765: bullseye-pu: package node-markdown-it/10.0.0+dfsg-2+deb11u1
  - From: Yadd <yadd@debian.org>

Prev by Date: Bug#1003765: bullseye-pu: package node-markdown-it/10.0.0+dfsg-2+deb11u1
Next by Date: Processed: php-horde-wicked: (autopkgtest) needs update for php8.1: Text_Wiki_Parse_Paragraph::process(): Argument #1 ($matches) must be passed by reference, value given
Previous by thread: Bug#1003765: bullseye-pu: package node-markdown-it/10.0.0+dfsg-2+deb11u1
Next by thread: Processed: php-horde-wicked: (autopkgtest) needs update for php8.1: Text_Wiki_Parse_Paragraph::process(): Argument #1 ($matches) must be passed by reference, value given
Index(es):
- Date
- Thread