Bug#990688: marked as done (unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3)

Debian Bug Tracking System Sun, 04 Jul 2021 13:27:38 -0700

Your message dated Sun, 4 Jul 2021 22:23:37 +0200
with message-id <yoiyyrrea92qj...@ramacher.at>
and subject line Re: Bug#990688: unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3
has caused the Debian Bug report #990688,
regarding unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
990688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990688
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,y...@debian.org

Hi Release team,

Please unblock package node-mermaid

Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a
targetted fix from upstream. Can you please unlbock the package and
make sure it lands in testing and so bullseye in time before the
release?

I'm attaching the debdiff as generated by the upload from Yadd.

Regards,
Salvatore

diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 
node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog  2020-10-19 
14:00:00.000000000 +0200
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog  2021-06-29 
14:46:20.000000000 +0200
@@ -1,3 +1,10 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
+
+  * Team upload
+  * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513)
+
+ -- Yadd <y...@debian.org>  Tue, 29 Jun 2021 14:46:20 +0200
+
 node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium
 
   * Source-only-upload 
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 
node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch       
1970-01-01 01:00:00.000000000 +0100
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch       
2021-06-29 14:44:46.000000000 +0200
@@ -0,0 +1,33 @@
+Description: Small positoining fix for parallell processes and nested
+Author: Knut Sveidqvist <knut.sveidqv...@ipiccolo.com>
+Origin: upstream, https://github.com/mermaid-js/mermaid/pull/2123/files
+Bug: https://github.com/mermaid-js/mermaid/issues/2122
+Bug-Debian: https://bugs.debian.org/990449
+Forwarded: not-needed
+Reviewed-By: Yadd <y...@debian.org>
+Last-Update: 2021-06-29
+
+--- a/src/dagre-wrapper/clusters.js
++++ b/src/dagre-wrapper/clusters.js
+@@ -194,7 +194,7 @@
+   const rectBox = rect.node().getBBox();
+   node.width = rectBox.width;
+   node.height = rectBox.height;
+-
++  node.diff = -node.padding / 2;
+   node.intersect = function(point) {
+     return intersectRect(node, point);
+   };
+--- a/src/diagrams/common/common.js
++++ b/src/diagrams/common/common.js
+@@ -26,6 +26,10 @@
+       break;
+     }
+   }
++
++  rs = rs.replace('javascript:', '#');
++  rs = rs.replace('<iframe', '');
++
+   return rs;
+ };
+ 
diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 
node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series
--- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series     2020-10-19 
14:00:00.000000000 +0200
+++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series     2021-06-29 
14:41:58.000000000 +0200
@@ -1,2 +1,3 @@
 0002-Fix-unsupported-syntax.patch
 0003-Replace-moment-mini-with-moment.patch
+CVE-2021-35513.patch

--- End Message ---

--- Begin Message ---

On 2021-07-04 22:14:49 +0200, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: car...@debian.org,y...@debian.org
> 
> Hi Release team,
> 
> Please unblock package node-mermaid
> 
> Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a
> targetted fix from upstream. Can you please unlbock the package and
> make sure it lands in testing and so bullseye in time before the
> release?
> 
> I'm attaching the debdiff as generated by the upload from Yadd.

Aged to 5 days.

Cheers

> 
> Regards,
> Salvatore

> diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 
> node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog
> --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog        2020-10-19 
> 14:00:00.000000000 +0200
> +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog        2021-06-29 
> 14:46:20.000000000 +0200
> @@ -1,3 +1,10 @@
> +node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
> +
> +  * Team upload
> +  * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513)
> +
> + -- Yadd <y...@debian.org>  Tue, 29 Jun 2021 14:46:20 +0200
> +
>  node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium
>  
>    * Source-only-upload 
> diff -Nru 
> node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 
> node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch
> --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch     
> 1970-01-01 01:00:00.000000000 +0100
> +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch     
> 2021-06-29 14:44:46.000000000 +0200
> @@ -0,0 +1,33 @@
> +Description: Small positoining fix for parallell processes and nested
> +Author: Knut Sveidqvist <knut.sveidqv...@ipiccolo.com>
> +Origin: upstream, https://github.com/mermaid-js/mermaid/pull/2123/files
> +Bug: https://github.com/mermaid-js/mermaid/issues/2122
> +Bug-Debian: https://bugs.debian.org/990449
> +Forwarded: not-needed
> +Reviewed-By: Yadd <y...@debian.org>
> +Last-Update: 2021-06-29
> +
> +--- a/src/dagre-wrapper/clusters.js
> ++++ b/src/dagre-wrapper/clusters.js
> +@@ -194,7 +194,7 @@
> +   const rectBox = rect.node().getBBox();
> +   node.width = rectBox.width;
> +   node.height = rectBox.height;
> +-
> ++  node.diff = -node.padding / 2;
> +   node.intersect = function(point) {
> +     return intersectRect(node, point);
> +   };
> +--- a/src/diagrams/common/common.js
> ++++ b/src/diagrams/common/common.js
> +@@ -26,6 +26,10 @@
> +       break;
> +     }
> +   }
> ++
> ++  rs = rs.replace('javascript:', '#');
> ++  rs = rs.replace('<iframe', '');
> ++
> +   return rs;
> + };
> + 
> diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 
> node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series
> --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series   2020-10-19 
> 14:00:00.000000000 +0200
> +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series   2021-06-29 
> 14:41:58.000000000 +0200
> @@ -1,2 +1,3 @@
>  0002-Fix-unsupported-syntax.patch
>  0003-Replace-moment-mini-with-moment.patch
> +CVE-2021-35513.patch


-- 
Sebastian Ramacher

signature.asc
Description: PGP signature

--- End Message ---

Bug#990688: marked as done (unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3)

Reply via email to