Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-prismjs has 2 vulnerabilities:
* Regex DoS (CVE-2021-40438)
* cross-site scripting attack (CVE-2022-23647)
[ Impact ]
Medium vulnerabilities
[ Tests ]
No change in test, passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Regexp change
* Encode commandline arguments
[ Other info ]
I patched source files and regenerated minified files using uglifyjs
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index f70003b..956abf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3801)
+ * Command Line: Escape markup in command line output
+ (Closes: CVE-2022-23647)
+
+ -- Yadd <yadd@debian.org> Mon, 21 Feb 2022 11:57:44 +0100
+
node-prismjs (1.23.0+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 27bb7f6..7021e6c 100644
--- a/debian/control
+++ b/debian/control
@@ -8,6 +8,7 @@ Build-Depends: chai <!nocheck>
, mocha <!nocheck>
, node-yargs <!nocheck>
, dh-sequence-nodejs
+ , uglifyjs
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/js-team/node-prismjs
Vcs-Git: https://salsa.debian.org/js-team/node-prismjs.git
diff --git a/debian/patches/CVE-2021-40438.patch b/debian/patches/CVE-2021-40438.patch
new file mode 100644
index 0000000..a0830ac
--- /dev/null
+++ b/debian/patches/CVE-2021-40438.patch
@@ -0,0 +1,17 @@
+Description: Markup: fixed ReDoS
+Author: ready-research
+Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-09-21
+
+--- a/components/prism-markup.js
++++ b/components/prism-markup.js
+@@ -1,5 +1,5 @@
+ Prism.languages.markup = {
+- 'comment': /<!--[\s\S]*?-->/,
++ 'comment': /<!--(?:(?!<!--)[\s\S])*?-->/,
+ 'prolog': /<\?[\s\S]+?\?>/,
+ 'doctype': {
+ // https://www.w3.org/TR/xml/#NT-doctypedecl
diff --git a/debian/patches/CVE-2022-23647.patch b/debian/patches/CVE-2022-23647.patch
new file mode 100644
index 0000000..4008ab5
--- /dev/null
+++ b/debian/patches/CVE-2022-23647.patch
@@ -0,0 +1,19 @@
+Description: Escape markup in command line output
+Author: at055612 <22818309+at055612@users.noreply.github.com>
+Origin: upstream, https://github.com/PrismJS/prism/commit/e002e78c
+Bug: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-21
+
+--- a/plugins/command-line/prism-command-line.js
++++ b/plugins/command-line/prism-command-line.js
+@@ -122,7 +122,7 @@
+ var outputLines = commandLine.outputLines || [];
+ for (var i = 0, l = outputLines.length; i < l; i++) {
+ if (outputLines.hasOwnProperty(i)) {
+- codeLines[i] = outputLines[i];
++ codeLines[i] = Prism.util.encode(outputLines[i]);
+ }
+ }
+ env.highlightedCode = codeLines.join('\n');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..88f88a9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2021-40438.patch
+CVE-2022-23647.patch
diff --git a/debian/rules b/debian/rules
index 8240d18..411edb7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,13 @@
%:
dh $@
+override_dh_auto_build:
+ dh_auto_build
+ uglifyjs -o components/prism-markup.min.js \
+ components/prism-markup.js
+ uglifyjs -o plugins/command-line/prism-command-line.min.js \
+ plugins/command-line/prism-command-line.js
+
override_dh_fixperms:
dh_fixperms
chmod -x debian/node-prismjs/usr/share/nodejs/prismjs/package.json
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a64..6fd902a 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,4 +1,7 @@
---
+variables:
+ RELEASE: 'bullseye'
+
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
Reply to: