Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-prismjs has 2 vulnerabilities: * Regex DoS (CVE-2021-40438) * cross-site scripting attack (CVE-2022-23647) [ Impact ] Medium vulnerabilities [ Tests ] No change in test, passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * Regexp change * Encode commandline arguments [ Other info ] I patched source files and regenerated minified files using uglifyjs Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index f70003b..956abf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-3801) + * Command Line: Escape markup in command line output + (Closes: CVE-2022-23647) + + -- Yadd <y...@debian.org> Mon, 21 Feb 2022 11:57:44 +0100 + node-prismjs (1.23.0+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 27bb7f6..7021e6c 100644 --- a/debian/control +++ b/debian/control @@ -8,6 +8,7 @@ Build-Depends: chai <!nocheck> , mocha <!nocheck> , node-yargs <!nocheck> , dh-sequence-nodejs + , uglifyjs Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/js-team/node-prismjs Vcs-Git: https://salsa.debian.org/js-team/node-prismjs.git diff --git a/debian/patches/CVE-2021-40438.patch b/debian/patches/CVE-2021-40438.patch new file mode 100644 index 0000000..a0830ac --- /dev/null +++ b/debian/patches/CVE-2021-40438.patch @@ -0,0 +1,17 @@ +Description: Markup: fixed ReDoS +Author: ready-research +Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb +Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-09-21 + +--- a/components/prism-markup.js ++++ b/components/prism-markup.js +@@ -1,5 +1,5 @@ + Prism.languages.markup = { +- 'comment': /<!--[\s\S]*?-->/, ++ 'comment': /<!--(?:(?!<!--)[\s\S])*?-->/, + 'prolog': /<\?[\s\S]+?\?>/, + 'doctype': { + // https://www.w3.org/TR/xml/#NT-doctypedecl diff --git a/debian/patches/CVE-2022-23647.patch b/debian/patches/CVE-2022-23647.patch new file mode 100644 index 0000000..4008ab5 --- /dev/null +++ b/debian/patches/CVE-2022-23647.patch @@ -0,0 +1,19 @@ +Description: Escape markup in command line output +Author: at055612 <22818309+at055...@users.noreply.github.com> +Origin: upstream, https://github.com/PrismJS/prism/commit/e002e78c +Bug: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-02-21 + +--- a/plugins/command-line/prism-command-line.js ++++ b/plugins/command-line/prism-command-line.js +@@ -122,7 +122,7 @@ + var outputLines = commandLine.outputLines || []; + for (var i = 0, l = outputLines.length; i < l; i++) { + if (outputLines.hasOwnProperty(i)) { +- codeLines[i] = outputLines[i]; ++ codeLines[i] = Prism.util.encode(outputLines[i]); + } + } + env.highlightedCode = codeLines.join('\n'); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..88f88a9 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2021-40438.patch +CVE-2022-23647.patch diff --git a/debian/rules b/debian/rules index 8240d18..411edb7 100755 --- a/debian/rules +++ b/debian/rules @@ -7,6 +7,13 @@ %: dh $@ +override_dh_auto_build: + dh_auto_build + uglifyjs -o components/prism-markup.min.js \ + components/prism-markup.js + uglifyjs -o plugins/command-line/prism-command-line.min.js \ + plugins/command-line/prism-command-line.js + override_dh_fixperms: dh_fixperms chmod -x debian/node-prismjs/usr/share/nodejs/prismjs/package.json diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml index 33c3a64..6fd902a 100644 --- a/debian/salsa-ci.yml +++ b/debian/salsa-ci.yml @@ -1,4 +1,7 @@ --- +variables: + RELEASE: 'bullseye' + include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
