[Pkg-javascript-devel] Bug#987767: unblock: node-postcss/8.2.1+~cs5.3.23-7

Yadd yadd at debian.org
Thu Apr 29 09:32:14 BST 2021 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-devel at lists.alioth.debian.org

Please unblock package node-postcss

[ Reason ]
node-postcss is vulnerable to a Regex Denial of Service (ReDoS)

[ Impact ]
Medium vulnerability

[ Tests ]
I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE
prove of concepts

[ Risks ]
No risk, this is just a regex improvement.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-postcss/8.2.1+~cs5.3.23-7
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index f7ffc04..a66396e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-postcss (8.2.1+~cs5.3.23-7) unstable; urgency=medium
+
+  * Team upload
+  * Fix ReDoS (Closes: CVE-2021-23382)
+  * Add autopkgtest files for CVE-2021-23368 and CVE-2021-23382
+
+ -- Yadd <yadd at debian.org>  Thu, 29 Apr 2021 10:24:48 +0200
+
 node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2021-23382.patch b/debian/patches/CVE-2021-23382.patch
new file mode 100644
index 0000000..a953851
--- /dev/null
+++ b/debian/patches/CVE-2021-23382.patch
@@ -0,0 +1,25 @@
+Description: Fix ReDoS in previous-map
+Author: Yeting Li <liyt at ios.ac.cn>
+Origin: upstream, https://github.com/postcss/postcss/commit/2ad1ca9b
+Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2021-04-29
+
+--- a/lib/previous-map.js
++++ b/lib/previous-map.js
+@@ -49,12 +49,12 @@
+ 
+   getAnnotationURL (sourceMapString) {
+     return sourceMapString
+-      .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1]
++      .match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1]
+       .trim()
+   }
+ 
+   loadAnnotation (css) {
+-    let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
++    let annotations = css.match(/\/\*\s*# sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm)
+ 
+     if (annotations && annotations.length > 0) {
+       // Locate the last sourceMappingURL to avoid picking up
diff --git a/debian/patches/series b/debian/patches/series
index 1be7968..2e873a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2021-23368.patch
+CVE-2021-23382.patch
diff --git a/debian/tests/CVE-2021-23368.js b/debian/tests/CVE-2021-23368.js
new file mode 100644
index 0000000..1a8b09c
--- /dev/null
+++ b/debian/tests/CVE-2021-23368.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+    var ret = "a{}/*# sourceMappingURL="
+    for (var i = 0; i < n; i++) {
+        ret += " "
+    }
+    return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 500000; i++) {
+    if (i % 10000 == 0) {
+        var time = Date.now();
+        var attack_str = build_attack(i)
+        try{
+            postcss.parse(attack_str)
+            var time_cost = Date.now() - time;
+            console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+            }
+        catch(e){
+        var time_cost = Date.now() - time;
+        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+        }
+    }
+    if(Date.now() - time > 10000) {
+        console.error('Vulnerable to CVE-2021-23368');
+        process.exit(1);
+    }
+}
diff --git a/debian/tests/CVE-2021-23382.js b/debian/tests/CVE-2021-23382.js
new file mode 100644
index 0000000..c891279
--- /dev/null
+++ b/debian/tests/CVE-2021-23382.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+    var ret = "a{}"
+    for (var i = 0; i < n; i++) {
+        ret += "/*# sourceMappingURL="
+    }
+    return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 500000; i++) {
+    if (i % 1000 == 0) {
+        var time = Date.now();
+        var attack_str = build_attack(i)
+        try{
+            postcss.parse(attack_str)
+            var time_cost = Date.now() - time;
+            console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+            }
+        catch(e){
+        var time_cost = Date.now() - time;
+        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
+        }
+    }
+    if(Date.now() - time > 10000) {
+        console.error('Vulnerable to CVE-2021-23368');
+        process.exit(1);
+    }
+}
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..40ea2e2
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Tests: security
+Depends: @
diff --git a/debian/tests/security b/debian/tests/security
new file mode 100755
index 0000000..64e069a
--- /dev/null
+++ b/debian/tests/security
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+node ./debian/tests/CVE-2021-23368.js
+node ./debian/tests/CVE-2021-23382.js

More information about the Pkg-javascript-devel mailing list