Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
On 23/02/2022 22:44, Salvatore Bonaccorso wrote:
hi,
On Wed, Feb 23, 2022 at 10:27:33PM +0100, Moritz Mühlenhoff wrote:
Am Mon, Feb 21, 2022 at 01:57:54PM +0100 schrieb Yadd:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-prismjs has 2 vulnerabilities:
* Regex DoS (CVE-2021-40438)
Where did you get that CVE reference from? CVE-2021-40438 is for a
mod_proxy vulnerability in Apache httpd?
The used changelog entry actually has:
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3801)
+ * Command Line: Escape markup in command line output
+ (Closes: CVE-2022-23647)
+
+ -- Yadd <yadd@debian.org> Mon, 21 Feb 2022 11:57:44 +0100
But this seems odd: CVE-2021-3801 was already fixed in the last
bullseye point rlease with 1.23.0+dfsg-1+deb11u1. So should this
update be only for CVE-2022-23647 and the version be
1.23.0+dfsg-1+deb11u2?
Regards,
Salvatore
Sorry, here is a new debdiff
diff --git a/debian/changelog b/debian/changelog
index 4e83591..299ef36 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-prismjs (1.23.0+dfsg-1+deb11u2) bullseye; urgency=medium
+
+ * Command Line: Escape markup in command line output
+ (Closes: CVE-2022-23647)
+ * Fix also minified files (Really closes: CVE-2021-3801)
+
+ -- Yadd <yadd@debian.org> Thu, 24 Feb 2022 06:38:27 +0100
+
node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 27bb7f6..7021e6c 100644
--- a/debian/control
+++ b/debian/control
@@ -8,6 +8,7 @@ Build-Depends: chai <!nocheck>
, mocha <!nocheck>
, node-yargs <!nocheck>
, dh-sequence-nodejs
+ , uglifyjs
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/js-team/node-prismjs
Vcs-Git: https://salsa.debian.org/js-team/node-prismjs.git
diff --git a/debian/patches/CVE-2022-23647.patch b/debian/patches/CVE-2022-23647.patch
new file mode 100644
index 0000000..4008ab5
--- /dev/null
+++ b/debian/patches/CVE-2022-23647.patch
@@ -0,0 +1,19 @@
+Description: Escape markup in command line output
+Author: at055612 <22818309+at055612@users.noreply.github.com>
+Origin: upstream, https://github.com/PrismJS/prism/commit/e002e78c
+Bug: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-02-21
+
+--- a/plugins/command-line/prism-command-line.js
++++ b/plugins/command-line/prism-command-line.js
+@@ -122,7 +122,7 @@
+ var outputLines = commandLine.outputLines || [];
+ for (var i = 0, l = outputLines.length; i < l; i++) {
+ if (outputLines.hasOwnProperty(i)) {
+- codeLines[i] = outputLines[i];
++ codeLines[i] = Prism.util.encode(outputLines[i]);
+ }
+ }
+ env.highlightedCode = codeLines.join('\n');
diff --git a/debian/patches/series b/debian/patches/series
index 7c70d57..88f88a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2021-40438.patch
+CVE-2022-23647.patch
diff --git a/debian/rules b/debian/rules
index 8240d18..411edb7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,13 @@
%:
dh $@
+override_dh_auto_build:
+ dh_auto_build
+ uglifyjs -o components/prism-markup.min.js \
+ components/prism-markup.js
+ uglifyjs -o plugins/command-line/prism-command-line.min.js \
+ plugins/command-line/prism-command-line.js
+
override_dh_fixperms:
dh_fixperms
chmod -x debian/node-prismjs/usr/share/nodejs/prismjs/package.json
Reply to: