Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
Please unblock package node-postcss [ Reason ] node-postcss is vulnerable to a Regex Denial of Service (ReDoS) [ Impact ] Medium vulnerability [ Tests ] I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE prove of concepts [ Risks ] No risk, this is just a regex improvement. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-postcss/8.2.1+~cs5.3.23-7
diff --git a/debian/changelog b/debian/changelog index f7ffc04..a66396e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-postcss (8.2.1+~cs5.3.23-7) unstable; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-23382) + * Add autopkgtest files for CVE-2021-23368 and CVE-2021-23382 + + -- Yadd <y...@debian.org> Thu, 29 Apr 2021 10:24:48 +0200 + node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-23382.patch b/debian/patches/CVE-2021-23382.patch new file mode 100644 index 0000000..a953851 --- /dev/null +++ b/debian/patches/CVE-2021-23382.patch @@ -0,0 +1,25 @@ +Description: Fix ReDoS in previous-map +Author: Yeting Li <l...@ios.ac.cn> +Origin: upstream, https://github.com/postcss/postcss/commit/2ad1ca9b +Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-04-29 + +--- a/lib/previous-map.js ++++ b/lib/previous-map.js +@@ -49,12 +49,12 @@ + + getAnnotationURL (sourceMapString) { + return sourceMapString +- .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1] ++ .match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1] + .trim() + } + + loadAnnotation (css) { +- let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm) ++ let annotations = css.match(/\/\*\s*# sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm) + + if (annotations && annotations.length > 0) { + // Locate the last sourceMappingURL to avoid picking up diff --git a/debian/patches/series b/debian/patches/series index 1be7968..2e873a9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2021-23368.patch +CVE-2021-23382.patch diff --git a/debian/tests/CVE-2021-23368.js b/debian/tests/CVE-2021-23368.js new file mode 100644 index 0000000..1a8b09c --- /dev/null +++ b/debian/tests/CVE-2021-23368.js @@ -0,0 +1,32 @@ +var postcss = require("postcss") + +const startTime = Date.now(); + +function build_attack(n) { + var ret = "a{}/*# sourceMappingURL=" + for (var i = 0; i < n; i++) { + ret += " " + } + return ret + "!"; +} + +// postcss.parse('a{}/*# sourceMappingURL=a.css.map */') +for(var i = 1; i <= 500000; i++) { + if (i % 10000 == 0) { + var time = Date.now(); + var attack_str = build_attack(i) + try{ + postcss.parse(attack_str) + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + catch(e){ + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + } + if(Date.now() - time > 10000) { + console.error('Vulnerable to CVE-2021-23368'); + process.exit(1); + } +} diff --git a/debian/tests/CVE-2021-23382.js b/debian/tests/CVE-2021-23382.js new file mode 100644 index 0000000..c891279 --- /dev/null +++ b/debian/tests/CVE-2021-23382.js @@ -0,0 +1,32 @@ +var postcss = require("postcss") + +const startTime = Date.now(); + +function build_attack(n) { + var ret = "a{}" + for (var i = 0; i < n; i++) { + ret += "/*# sourceMappingURL=" + } + return ret + "!"; +} + +// postcss.parse('a{}/*# sourceMappingURL=a.css.map */') +for(var i = 1; i <= 500000; i++) { + if (i % 1000 == 0) { + var time = Date.now(); + var attack_str = build_attack(i) + try{ + postcss.parse(attack_str) + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + catch(e){ + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + } + if(Date.now() - time > 10000) { + console.error('Vulnerable to CVE-2021-23368'); + process.exit(1); + } +} diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..40ea2e2 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,2 @@ +Tests: security +Depends: @ diff --git a/debian/tests/security b/debian/tests/security new file mode 100755 index 0000000..64e069a --- /dev/null +++ b/debian/tests/security @@ -0,0 +1,4 @@ +#!/bin/bash + +node ./debian/tests/CVE-2021-23368.js +node ./debian/tests/CVE-2021-23382.js
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
