[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109573: marked as done (unblock: node-jsdom/20.0.3+~cs124.18.21-5)

Your message dated Thu, 31 Jul 2025 08:51:34 +0200
with message-id <adcd3b52-9cce-4216-8cf5-c0853fbc9461@debian.org>
and subject line Re: unblock: node-jsdom/20.0.3+~cs124.18.21-5
has caused the Debian Bug report #1109573,
regarding unblock: node-jsdom/20.0.3+~cs124.18.21-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109573: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109573
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: node-jsdom@packages.debian.org, security@debian.org, carnil@debian.org
Control: affects -1 + src:node-jsdom
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package node-jsdom

[ Reason ]
Affected by a ReDoS (outside upstream security support) but this block
autopkgtest for angular.js affected by about 10 CVEs

[ Impact ]
Fix a ReDoS

[ Tests ]
testsuite

[ Risks ]
Low

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
Will like to have angular.js fixed in trixie.

unblock node-jsdom/20.0.3+~cs124.18.21-5

diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/changelog node-jsdom-20.0.3+~cs124.18.21/debian/changelog
--- node-jsdom-20.0.3+~cs124.18.21/debian/changelog	2023-11-25 04:15:10.000000000 +0100
+++ node-jsdom-20.0.3+~cs124.18.21/debian/changelog	2025-06-28 22:22:20.000000000 +0200
@@ -1,3 +1,10 @@
+node-jsdom (20.0.3+~cs124.18.21-5) unstable; urgency=medium
+
+  * Team upload
+  * Avoid a ReDos in string.js
+
+ -- Bastien Roucariès <rouca@debian.org>  Sat, 28 Jun 2025 22:22:20 +0200
+
 node-jsdom (20.0.3+~cs124.18.21-4) unstable; urgency=medium
 
   * Team upload
diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch
--- node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch	1970-01-01 01:00:00.000000000 +0100
+++ node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch	2025-06-28 22:22:20.000000000 +0200
@@ -0,0 +1,61 @@
+From 0848d35195fada87b1fedab0f6a566308a892a6a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sat, 28 Jun 2025 22:21:06 +0200
+Subject: [PATCH] Avoid a ReDos in string.js
+
+[ ab]+$ is a ReDoS and crash a regression test on debian
+
+forwarded: https://github.com/jsdom/jsdom/pull/3896
+---
+ lib/jsdom/living/helpers/strings.js | 34 +++++++++++++++++++++++++++--
+ 1 file changed, 32 insertions(+), 2 deletions(-)
+
+Index: node-jsdom/lib/jsdom/living/helpers/strings.js
+===================================================================
+--- node-jsdom.orig/lib/jsdom/living/helpers/strings.js	2025-06-28 23:33:35.777608315 +0200
++++ node-jsdom/lib/jsdom/living/helpers/strings.js	2025-06-28 23:33:35.777608315 +0200
+@@ -21,12 +21,42 @@
+ 
+ // https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace
+ exports.stripLeadingAndTrailingASCIIWhitespace = s => {
+-  return s.replace(/^[ \t\n\f\r]+/, "").replace(/[ \t\n\f\r]+$/, "");
++  const beg = s.replace(/^[ \t\n\f\r]+/, "");
++  // replace(/[ \t\n\f\r]+$/, "") without ReDoS
++  let i = beg.length - 1;
++  while (i >= 0) {
++    switch (beg[i]) {
++      case " ":
++      case "\t":
++      case "\n":
++      case "\f":
++      case "\r":
++        i--;
++        continue;
++    }
++    break;
++  }
++  return beg.slice(0, i + 1);
+ };
+ 
+ // https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
+ exports.stripAndCollapseASCIIWhitespace = s => {
+-  return s.replace(/[ \t\n\f\r]+/g, " ").replace(/^[ \t\n\f\r]+/, "").replace(/[ \t\n\f\r]+$/, "");
++  const beg = s.replace(/[ \t\n\f\r]+/g, " ").replace(/^[ \t\n\f\r]+/, "");
++  // replace(/[ \t\n\f\r]+$/, "") without ReDoS
++  let i = beg.length - 1;
++  while (i >= 0) {
++    switch (beg[i]) {
++      case " ":
++      case "\t":
++      case "\n":
++      case "\f":
++      case "\r":
++        i--;
++        continue;
++    }
++    break;
++  }
++  return beg.slice(0, i + 1);
+ };
+ 
+ // https://html.spec.whatwg.org/multipage/infrastructure.html#valid-simple-colour
diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/patches/series node-jsdom-20.0.3+~cs124.18.21/debian/patches/series
--- node-jsdom-20.0.3+~cs124.18.21/debian/patches/series	2023-11-24 03:47:02.000000000 +0100
+++ node-jsdom-20.0.3+~cs124.18.21/debian/patches/series	2025-06-28 22:21:38.000000000 +0200
@@ -2,3 +2,4 @@
 fix-test.patch
 tsc-workaround.patch
 fix-for-https-proxy-agent-7.patch
+0005-Avoid-a-ReDos-in-string.js.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Hi,

On 30-07-2025 12:25, Bastien Roucaries wrote:

They explictly said that redos are not a security problem


Upstream is willing to fix the problem but need a self contained test case
https://github.com/jsdom/jsdom/pull/3896

Can we proceed to unblock when we try to get a self contained test case.
I'm still wondering why there's disagreement with upstream whether this constitutes a security issue. 

I have unblocked the upload.

Paul

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature


--- End Message ---
Reply to: