Bug#1109573: unblock: node-jsdom/20.0.3+~cs124.18.21-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1109573: unblock: node-jsdom/20.0.3+~cs124.18.21-5
From: Bastien Roucaries <rouca@debian.org>
Date: Sun, 20 Jul 2025 11:21:45 +0200
Message-id: <[🔎] 3084347.88bMQJbFj6@debian-ei>
Reply-to: Bastien Roucaries <rouca@debian.org>, 1109573@bugs.debian.org

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: node-jsdom@packages.debian.org, security@debian.org, carnil@debian.org
Control: affects -1 + src:node-jsdom
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-jsdom

[ Reason ]
Affected by a ReDoS (outside upstream security support) but this block
autopkgtest for angular.js affected by about 10 CVEs

[ Impact ]
Fix a ReDoS

[ Tests ]
testsuite

[ Risks ]
Low

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Will like to have angular.js fixed in trixie.

unblock node-jsdom/20.0.3+~cs124.18.21-5

diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/changelog node-jsdom-20.0.3+~cs124.18.21/debian/changelog
--- node-jsdom-20.0.3+~cs124.18.21/debian/changelog	2023-11-25 04:15:10.000000000 +0100
+++ node-jsdom-20.0.3+~cs124.18.21/debian/changelog	2025-06-28 22:22:20.000000000 +0200
@@ -1,3 +1,10 @@
+node-jsdom (20.0.3+~cs124.18.21-5) unstable; urgency=medium
+
+  * Team upload
+  * Avoid a ReDos in string.js
+
+ -- Bastien Roucariès <rouca@debian.org>  Sat, 28 Jun 2025 22:22:20 +0200
+
 node-jsdom (20.0.3+~cs124.18.21-4) unstable; urgency=medium
 
   * Team upload
diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch
--- node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch	2025-06-28 22:22:20.000000000 +0200
@@ -0,0 +1,61 @@
+From 0848d35195fada87b1fedab0f6a566308a892a6a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sat, 28 Jun 2025 22:21:06 +0200
+Subject: [PATCH] Avoid a ReDos in string.js
+
+[ ab]+$ is a ReDoS and crash a regression test on debian
+
+forwarded: https://github.com/jsdom/jsdom/pull/3896
+---
+ lib/jsdom/living/helpers/strings.js | 34 +++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+Index: node-jsdom/lib/jsdom/living/helpers/strings.js
+===================================================================
+--- node-jsdom.orig/lib/jsdom/living/helpers/strings.js	2025-06-28 23:33:35.777608315 +0200
++++ node-jsdom/lib/jsdom/living/helpers/strings.js	2025-06-28 23:33:35.777608315 +0200
+@@ -21,12 +21,42 @@
+ 
+ // https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace
+ exports.stripLeadingAndTrailingASCIIWhitespace = s => {
+-  return s.replace(/^[ \t\n\f\r]+/, "").replace(/[ \t\n\f\r]+$/, "");
++  const beg = s.replace(/^[ \t\n\f\r]+/, "");
++  // replace(/[ \t\n\f\r]+$/, "") without ReDoS
++  let i = beg.length - 1;
++  while (i >= 0) {
++    switch (beg[i]) {
++      case " ":
++      case "\t":
++      case "\n":
++      case "\f":
++      case "\r":
++        i--;
++        continue;
++    }
++    break;
++  }
++  return beg.slice(0, i + 1);
+ };
+ 
+ // https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
+ exports.stripAndCollapseASCIIWhitespace = s => {
+-  return s.replace(/[ \t\n\f\r]+/g, " ").replace(/^[ \t\n\f\r]+/, "").replace(/[ \t\n\f\r]+$/, "");
++  const beg = s.replace(/[ \t\n\f\r]+/g, " ").replace(/^[ \t\n\f\r]+/, "");
++  // replace(/[ \t\n\f\r]+$/, "") without ReDoS
++  let i = beg.length - 1;
++  while (i >= 0) {
++    switch (beg[i]) {
++      case " ":
++      case "\t":
++      case "\n":
++      case "\f":
++      case "\r":
++        i--;
++        continue;
++    }
++    break;
++  }
++  return beg.slice(0, i + 1);
+ };
+ 
+ // https://html.spec.whatwg.org/multipage/infrastructure.html#valid-simple-colour
diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/patches/series node-jsdom-20.0.3+~cs124.18.21/debian/patches/series
--- node-jsdom-20.0.3+~cs124.18.21/debian/patches/series	2023-11-24 03:47:02.000000000 +0100
+++ node-jsdom-20.0.3+~cs124.18.21/debian/patches/series	2025-06-28 22:21:38.000000000 +0200
@@ -2,3 +2,4 @@
 fix-test.patch
 tsc-workaround.patch
 fix-for-https-proxy-agent-7.patch
+0005-Avoid-a-ReDos-in-string.js.patch

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Processed: unblock: node-jsdom/20.0.3+~cs124.18.21-5
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Re: unblock: node-jsdom/20.0.3+~cs124.18.21-5
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1109573: unblock: node-jsdom/20.0.3+~cs124.18.21-5
  - From: Paul Gevers <elbrus@debian.org>
- Bug#1109573: marked as done (unblock: node-jsdom/20.0.3+~cs124.18.21-5)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: node-jsdom/20.0.3+~cs124.18.21-5
Next by Date: Bug#1109452: unblock: emacs/1:30.1+1-6
Previous by thread: Processed: Re: unblock: imagemagick/8:7.1.1.43+dfsg1-1+deb13u1
Next by thread: Processed: unblock: node-jsdom/20.0.3+~cs124.18.21-5
Index(es):
- Date
- Thread