Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-color-string [ Reason ] node-color-string is vulnerable to a Regex Denial of Service (ReDoS) reported in CVE-2021-29060 [ Impact ] Little vulnerability [ Tests ] No change in tests, passed [ Risks ] Patch is trivial, no risk IMO [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-color-string/1.5.4-2
diff --git a/debian/changelog b/debian/changelog index 299dfc1..d80a103 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-color-string (1.5.4-2) unstable; urgency=medium + + * Team upload + * Fix GitHub tags regex + * Fix Regex Denial of Service (Closes: CVE-2021-29060) + + -- Yadd <y...@debian.org> Sun, 27 Jun 2021 18:12:06 +0200 + node-color-string (1.5.4-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-29060.patch b/debian/patches/CVE-2021-29060.patch new file mode 100644 index 0000000..69bf300 --- /dev/null +++ b/debian/patches/CVE-2021-29060.patch @@ -0,0 +1,48 @@ +Description: fix ReDos in hwb() parser (low-severity) + . + Discovered by Yeting Li, c/o Colin Ife via Snyk.io. + . + A ReDos (Regular Expression Denial of Service) vulnerability + was responsibly disclosed to me via email by Colin on + Mar 5 2021 regarding an exponential time complexity for + linearly increasing input lengths for `hwb()` color strings. + . + Strings reaching more than 5000 characters would see several + milliseconds of processing time; strings reaching more than + 50,000 characters began seeing 1500ms (1.5s) of processing time. + . + The cause was due to a the regular expression that parses + hwb() strings - specifically, the hue value - where + the integer portion of the hue value used a 0-or-more quantifier + shortly thereafter followed by a 1-or-more quantifier. + . + This caused excessive backtracking and a cartesian scan, + resulting in exponential time complexity given a linear + increase in input length. +Author: Josh Junon <ju...@wavetilt.com> +Origin: upstream, https://github.com/Qix-/color-string/commit/0789e212 +Bug: https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-06-27 + +--- a/index.js ++++ b/index.js +@@ -129,7 +129,7 @@ + return null; + } + +- var hsl = /^hsla?\(\s*([+-]?(?:\d*\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/; ++ var hsl = /^hsla?\(\s*([+-]?(?:\d{0,3}\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/; + var match = string.match(hsl); + + if (match) { +@@ -150,7 +150,7 @@ + return null; + } + +- var hwb = /^hwb\(\s*([+-]?\d*[\.]?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/; ++ var hwb = /^hwb\(\s*([+-]?\d{0,3}(?:\.\d+)?)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/; + var match = string.match(hwb); + + if (match) { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..543b76a --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-29060.patch diff --git a/debian/watch b/debian/watch index dc974c3..ad5d207 100644 --- a/debian/watch +++ b/debian/watch @@ -2,7 +2,7 @@ version=4 opts=\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-color-string-$1.tar.gz/ \ - https://github.com/qix-/color-string/tags .*/archive/v?([\d\.]+).tar.gz + https://github.com/qix-/color-string/tags .*/archive/.*/v?([\d\.]+).tar.gz # It is not recommended use npmregistry. Please investigate more. # Take a look at https://wiki.debian.org/debian/watch/
