[Pkg-javascript-devel] Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3
Bastien Roucariès
rouca at debian.org
Fri Mar 3 08:57:15 GMT 2023
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-css-what at packages.debian.org
Control: affects -1 + src:node-css-what
[ Reason ]
CVE-2022-21222/CVE-2021-33587 The package css-what before 2.1.3 are vulnerable
to Regular Expression Denial of Service (ReDoS) due to the usage of insecure
regular expression in the re_attr variable of index.js. The exploitation of
this vulnerability could be triggered via the parse function.
[ Impact ]
DoS due to exponential regexp search.
[ Tests ]
Package testsuite was run, code modification was tested.
recheck tested the absence of reDos
[ Risks ]
* no backport is possible due to upstream rewrite in typescript. Modification
of the regex was chosen in order to be least disruptive.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The ReDoS sensible regexp was rewritten in a linear form, step by step (5
patches).
[ Other info ]
None
-------------- next part --------------
diff -Nru node-css-what-4.0.0/debian/changelog node-css-what-4.0.0/debian/changelog
--- node-css-what-4.0.0/debian/changelog 2021-01-09 21:06:15.000000000 +0000
+++ node-css-what-4.0.0/debian/changelog 2023-03-01 13:47:23.000000000 +0000
@@ -1,3 +1,15 @@
+node-css-what (4.0.0-3+deb11u1) bullseye-security; urgency=medium
+
+ * Team upload
+ * node-css-what was vulnerable to Regular Expression Denial of Service
+ (ReDoS) due to the usage of insecure regular expression in the
+ re_attr variable.
+ The exploitation of this vulnerability could be triggered
+ via the parse function.
+ Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188)
+
+ -- Bastien Roucari?s <rouca at debian.org> Wed, 01 Mar 2023 13:47:23 +0000
+
node-css-what (4.0.0-3) unstable; urgency=medium
* Team upload
diff -Nru node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
--- node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 2023-03-01 13:47:23.000000000 +0000
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Wed, 1 Mar 2023 08:12:48 +0000
+Subject: Partial fix of reDos CVE-2022-21222/CVE-2021-33587: attribute
+ selector
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Per https://w3c.github.io/csswg-drafts/selectors/#attribute-selectors only = ~= |= ^= $= *= are supported.
+
+Add also != that is checked as invalid latter in order to pass testsuite.
+
+So replace \S by [~|^$*!]
+
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+---
+ src/parse.ts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/parse.ts b/src/parse.ts
+index 677a029..628561b 100644
+--- a/src/parse.ts
++++ b/src/parse.ts
+@@ -81,7 +81,7 @@ export type TraversalType =
+ const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/;
+ const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi;
+ // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+-const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:(\S?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/;
++const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/;
+
+ const actionTypes: { [key: string]: AttributeAction } = {
+ undefined: "exists",
diff -Nru node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
--- node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 2023-03-01 13:47:23.000000000 +0000
@@ -0,0 +1,55 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Wed, 1 Mar 2023 10:10:47 +0000
+Subject: Partial fix of ReDos CVE-2022-21222/CVE-2021-33587: trim string
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Trim left the string avoiding a \s* at the beginning of the string, thus avoiding part of complexity.
+
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+---
+ src/parse.ts | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/parse.ts b/src/parse.ts
+index 628561b..ad11230 100644
+--- a/src/parse.ts
++++ b/src/parse.ts
+@@ -81,7 +81,7 @@ export type TraversalType =
+ const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/;
+ const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi;
+ // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+-const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/;
++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/;
+
+ const actionTypes: { [key: string]: AttributeAction } = {
+ undefined: "exists",
+@@ -263,8 +263,13 @@ function parseSelector(
+ namespace: null,
+ });
+ } else if (firstChar === "[") {
++ const wmatch = selector
++ .slice(selectorIndex + 1)
++ .match(/^\s*/);
++ const woffset = !wmatch ? 0 : wmatch[0].length;
++
+ const attributeMatch = selector
+- .slice(selectorIndex + 1)
++ .slice(selectorIndex + 1 + woffset)
+ .match(reAttr);
+
+ if (!attributeMatch) {
+@@ -286,7 +291,7 @@ function parseSelector(
+ ignoreCase,
+ ] = attributeMatch;
+
+- selectorIndex += completeSelector.length + 1;
++ selectorIndex += completeSelector.length + 1 + woffset;
+ let name = unescapeCSS(baseName);
+
+ if (options.lowerCaseAttributeNames ?? !options.xmlMode) {
diff -Nru node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch
--- node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 2023-03-01 13:47:23.000000000 +0000
@@ -0,0 +1,33 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Wed, 1 Mar 2023 10:34:56 +0000
+Subject: Partial Fix of ReDos CVE-2022-21222/CVE-2021-33587: push inside
+ group avoiding (a|a?)+ problem
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Push \s* inside the group
+
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+---
+ src/parse.ts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/parse.ts b/src/parse.ts
+index ad11230..4bca92f 100644
+--- a/src/parse.ts
++++ b/src/parse.ts
+@@ -81,7 +81,7 @@ export type TraversalType =
+ const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/;
+ const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi;
+ // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+-const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/;
++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)\s*|)|)([iI])?\]/;
+
+ const actionTypes: { [key: string]: AttributeAction } = {
+ undefined: "exists",
diff -Nru node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch
--- node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 2023-03-01 13:47:23.000000000 +0000
@@ -0,0 +1,33 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Wed, 1 Mar 2023 11:40:39 +0000
+Subject: Partial ReDoS fix CVE-2022-21222/CVE-2021-33587: avoid another
+ (a|a?)+
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Replace possibly null combinaison (#?(?:\\.|[\w\u00b0-\uFFFF-])*) by (#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)
+
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+---
+ src/parse.ts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/parse.ts b/src/parse.ts
+index 4bca92f..fcae1e3 100644
+--- a/src/parse.ts
++++ b/src/parse.ts
+@@ -81,7 +81,7 @@ export type TraversalType =
+ const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/;
+ const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi;
+ // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+-const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)\s*|)|)([iI])?\]/;
++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)\s*|)|)([iI])?\]/;
+
+ const actionTypes: { [key: string]: AttributeAction } = {
+ undefined: "exists",
diff -Nru node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch
--- node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 2023-03-01 13:47:23.000000000 +0000
@@ -0,0 +1,34 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Wed, 1 Mar 2023 11:45:48 +0000
+Subject: Final ReDos Fix for CVE-2022-21222/CVE-2021-33587: whitespace fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Replace \s that could match whitespace in \u00b0-\uFFFF, by [ \t\n\r\f]* that is space according to css specification
+
+Upstream version 4.0.0 allowed to match indent name including non breakable UTF, keep this feature.
+
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+bug-debian: https://bugs.debian.org/989264
+bug-debian: https://bugs.debian.org/1032188
+bug: https://www.cve.org/CVERecord?id=CVE-2022-21222
+bug: https://www.cve.org/CVERecord?id=CVE-2021-33587
+Signed-off-by: Bastien Roucari?s <rouca at debian.org>
+---
+ src/parse.ts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/parse.ts b/src/parse.ts
+index fcae1e3..278eecf 100644
+--- a/src/parse.ts
++++ b/src/parse.ts
+@@ -81,7 +81,7 @@ export type TraversalType =
+ const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/;
+ const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi;
+ // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87
+-const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)\s*|)|)([iI])?\]/;
++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)[ \t\n\r\f]*(?:([~|^$*!]?)=[ \t\n\r\f]*(?:(['"])((?:[^\\]|\\[^])*?)\4[ \t\n\r\f]*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)[ \t\n\r\f]*|)|)([iI])?\]/;
+
+ const actionTypes: { [key: string]: AttributeAction } = {
+ undefined: "exists",
diff -Nru node-css-what-4.0.0/debian/patches/series node-css-what-4.0.0/debian/patches/series
--- node-css-what-4.0.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ node-css-what-4.0.0/debian/patches/series 2023-03-01 13:47:23.000000000 +0000
@@ -0,0 +1,5 @@
+0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch
+0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch
+0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch
+0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch
+0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch
More information about the Pkg-javascript-devel
mailing list