Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Mon, 21 Feb 2022 13:57:54 +0100
Message-id: <[🔎] 164544827432.462558.1504147728389034487.reportbug@debian007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1006215@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-prismjs has 2 vulnerabilities:
 * Regex DoS (CVE-2021-40438)
 * cross-site scripting attack (CVE-2022-23647)

[ Impact ]
Medium vulnerabilities

[ Tests ]
No change in test, passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
 * Regexp change
 * Encode commandline arguments

[ Other info ]
I patched source files and regenerated minified files using uglifyjs

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index f70003b..956abf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix ReDoS (Closes: CVE-2021-3801)
+  * Command Line: Escape markup in command line output
+    (Closes: CVE-2022-23647)
+
+ -- Yadd <yadd@debian.org>  Mon, 21 Feb 2022 11:57:44 +0100
+
 node-prismjs (1.23.0+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 27bb7f6..7021e6c 100644
--- a/debian/control
+++ b/debian/control
@@ -8,6 +8,7 @@ Build-Depends: chai <!nocheck>
  , mocha <!nocheck>
  , node-yargs <!nocheck>
  , dh-sequence-nodejs
+ , uglifyjs
 Standards-Version: 4.5.1
 Vcs-Browser: https://salsa.debian.org/js-team/node-prismjs
 Vcs-Git: https://salsa.debian.org/js-team/node-prismjs.git
diff --git a/debian/patches/CVE-2021-40438.patch b/debian/patches/CVE-2021-40438.patch
new file mode 100644
index 0000000..a0830ac
--- /dev/null
+++ b/debian/patches/CVE-2021-40438.patch
@@ -0,0 +1,17 @@
+Description: Markup: fixed ReDoS
+Author: ready-research
+Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-09-21
+
+--- a/components/prism-markup.js
++++ b/components/prism-markup.js
+@@ -1,5 +1,5 @@
+ Prism.languages.markup = {
+-	'comment': /<!--[\s\S]*?-->/,
++	'comment': /<!--(?:(?!<!--)[\s\S])*?-->/,
+ 	'prolog': /<\?[\s\S]+?\?>/,
+ 	'doctype': {
+ 		// https://www.w3.org/TR/xml/#NT-doctypedecl
diff --git a/debian/patches/CVE-2022-23647.patch b/debian/patches/CVE-2022-23647.patch
new file mode 100644
index 0000000..4008ab5
--- /dev/null
+++ b/debian/patches/CVE-2022-23647.patch
@@ -0,0 +1,19 @@
+Description: Escape markup in command line output
+Author: at055612 <22818309+at055612@users.noreply.github.com>
+Origin: upstream, https://github.com/PrismJS/prism/commit/e002e78c
+Bug: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-21
+
+--- a/plugins/command-line/prism-command-line.js
++++ b/plugins/command-line/prism-command-line.js
+@@ -122,7 +122,7 @@
+ 		var outputLines = commandLine.outputLines || [];
+ 		for (var i = 0, l = outputLines.length; i < l; i++) {
+ 			if (outputLines.hasOwnProperty(i)) {
+-				codeLines[i] = outputLines[i];
++				codeLines[i] = Prism.util.encode(outputLines[i]);
+ 			}
+ 		}
+ 		env.highlightedCode = codeLines.join('\n');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..88f88a9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2021-40438.patch
+CVE-2022-23647.patch
diff --git a/debian/rules b/debian/rules
index 8240d18..411edb7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,13 @@
 %:
 	dh $@
 
+override_dh_auto_build:
+	dh_auto_build
+	uglifyjs -o components/prism-markup.min.js \
+		components/prism-markup.js
+	uglifyjs -o plugins/command-line/prism-command-line.min.js \
+		plugins/command-line/prism-command-line.js
+
 override_dh_fixperms:
 	dh_fixperms
 	chmod -x debian/node-prismjs/usr/share/nodejs/prismjs/package.json
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a64..6fd902a 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,4 +1,7 @@
 ---
+variables:
+  RELEASE: 'bullseye'
+
 include:
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
   - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml

Reply to:

Follow-Ups:
- Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Bug#1006212: transition: trilinos
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Re: Bug#1006212: transition: trilinos
Next by thread: Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
Index(es):
- Date
- Thread