On 15/01/2022 12:52, Yadd wrote:
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu[ Reason ] node-markdown-it is vulnerable to regex denial of service (CVE-2022-21670) [ Impact ] Little security issue [ Tests ] Test passed [ Risks ] Low risk, just a better check [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace regex by substitute Same patch applied to unstable. Cheers, Yadd
With the debdiff, sorry
diff --git a/debian/changelog b/debian/changelog index 3f20b0f..1fa8e51 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-markdown-it (10.0.0+dfsg-2+deb11u1) bullseye; urgency=medium + + * Fix ReDoS (Closes: CVE-2022-21670) + + -- Yadd <y...@debian.org> Sat, 15 Jan 2022 12:48:26 +0100 + node-markdown-it (10.0.0+dfsg-2) unstable; urgency=medium * Team Upload diff --git a/debian/patches/CVE-2022-21670.patch b/debian/patches/CVE-2022-21670.patch new file mode 100644 index 0000000..e801f06 --- /dev/null +++ b/debian/patches/CVE-2022-21670.patch @@ -0,0 +1,32 @@ +Description: Fix possible ReDOS in newline rule +Author: Vitaly Puzrin <vit...@rcdesign.ru> +Origin: upstream, https://github.com/markdown-it/markdown-it/commit/ffc49ab4 +Bug: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-01-15 + +--- a/lib/rules_inline/newline.js ++++ b/lib/rules_inline/newline.js +@@ -6,7 +6,7 @@ + + + module.exports = function newline(state, silent) { +- var pmax, max, pos = state.pos; ++ var pmax, max, ws, pos = state.pos; + + if (state.src.charCodeAt(pos) !== 0x0A/* \n */) { return false; } + +@@ -20,7 +20,11 @@ + if (!silent) { + if (pmax >= 0 && state.pending.charCodeAt(pmax) === 0x20) { + if (pmax >= 1 && state.pending.charCodeAt(pmax - 1) === 0x20) { +- state.pending = state.pending.replace(/ +$/, ''); ++ // Find whitespaces tail of pending chars. ++ ws = pmax - 1; ++ while (ws >= 1 && state.pending.charCodeAt(ws - 1) === 0x20) ws--; ++ ++ state.pending = state.pending.slice(0, ws); + state.push('hardbreak', 'br', 0); + } else { + state.pending = state.pending.slice(0, -1); diff --git a/debian/patches/series b/debian/patches/series index 8c5fbef..3d7d982 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ update_shebang disable_babelmark-responder_test +CVE-2022-21670.patch
