[Pkg-javascript-devel] Bug#1118283: Proposed patches to fix CVE-2025-9670 in node-turndown_7.1.1-3 from Debian Bookworm/Trixie
Sergei Semin
sergeysyomin at yandex.ru
Thu Nov 20 15:50:43 GMT 2025
Hi!
According to https://security-tracker.debian.org/tracker/CVE-2025-9670,
this issue is considered actual for current version 7.1.1-3 of node-
turndown package from Debian Bookworm and Debian Trixie. It is possible
to fix this issue in version 7.1.1-3 using these 2 commits:
1. Fix ordered content indentation
https://github.com/mixmark-io/turndown/commit/ac97289706d022799c553a29e06f463c4ccd623c
2. Replace regexp trailing space removal with more optimized
methodhttps://github.com/mixmark-io/turndown/commit/8ed049935ac235cc009e9a7412c0a6fe6ab5b223
Second commit "Replace regexp trailing space removal with more
optimized method" is mentioned on page
https://security-tracker.debian.org/tracker/CVE-2025-9670, so it is
considered as fix for this issue in upstream. But it is impossible to
apply this commit to version 7.1.1-3 of node-turndown package. Commit
"Fix ordered content indentation" is prerequisite for "Replace regexp
trailing space removal with more optimized method". After applying "Fix
ordered content indentation" onto node-turndown_7.1.1-3 it is also
possible to apply desired "Replace regexp trailing space removal with
more optimized method". It is possible to build deb package in
resulting state with "dpkg-buildpackage -b -uc". Also it is possible to
install npm with "apt install npm" and then install turndown-attendant
package with "npm i turndown-attendant" and after this it is possible
to successfully run tests using "node test/turndown-test.js" (by
default tests execution is disabled in build process of node-
turndown_7.1.1-3 because of absence of "turndown-attendant" in debian
packages. But it is possible to install "turndown-attendant" with npm
for local tests run).
Patch from commit ac97289706d022799c553a29e06f463c4ccd623c is attached
as file "fix_ordered_content_indentation.patch", and patch from commit
8ed049935ac235cc009e9a7412c0a6fe6ab5b223 is attached as "CVE-2025-
9670.patch". They could be imported and pushed onto node-
turndown_7.1.1-3 by quilt in that order.
Regards,
Sergei
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_ordered_content_indentation.patch
Type: text/x-patch
Size: 2074 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20251120/00a9f268/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2025-9670.patch
Type: text/x-patch
Size: 2217 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20251120/00a9f268/attachment-0001.bin>
More information about the Pkg-javascript-devel
mailing list