Version in base suite: 4.0.0-3 Base version: node-css-what_4.0.0-3 Target version: node-css-what_4.0.0-3+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-css-what/node-css-what_4.0.0-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-css-what/node-css-what_4.0.0-3+deb11u1.dsc changelog | 12 ++ patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch | 36 ++++++ patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch | 55 ++++++++++ patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch | 33 ++++++ patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch | 33 ++++++ patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch | 34 ++++++ patches/series | 5 7 files changed, 208 insertions(+) diff -Nru node-css-what-4.0.0/debian/changelog node-css-what-4.0.0/debian/changelog --- node-css-what-4.0.0/debian/changelog 2021-01-09 21:06:15.000000000 +0000 +++ node-css-what-4.0.0/debian/changelog 2023-03-01 13:47:23.000000000 +0000 @@ -1,3 +1,15 @@ +node-css-what (4.0.0-3+deb11u1) bullseye; urgency=medium + + * Team upload + * node-css-what was vulnerable to Regular Expression Denial of Service + (ReDoS) due to the usage of insecure regular expression in the + re_attr variable. + The exploitation of this vulnerability could be triggered + via the parse function. + Fix CVE-2022-21222, CVE-2021-33587 (Closes: #989264, #1032188) + + -- Bastien Roucariès Wed, 01 Mar 2023 13:47:23 +0000 + node-css-what (4.0.0-3) unstable; urgency=medium * Team upload diff -Nru node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch --- node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-4.0.0/debian/patches/0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch 2023-03-01 13:47:23.000000000 +0000 @@ -0,0 +1,36 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Wed, 1 Mar 2023 08:12:48 +0000 +Subject: Partial fix of reDos CVE-2022-21222/CVE-2021-33587: attribute + selector +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Per https://w3c.github.io/csswg-drafts/selectors/#attribute-selectors only = ~= |= ^= $= *= are supported. + +Add also != that is checked as invalid latter in order to pass testsuite. + +So replace \S by [~|^$*!] + +Signed-off-by: Bastien Roucariès +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +--- + src/parse.ts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/parse.ts b/src/parse.ts +index 677a029..628561b 100644 +--- a/src/parse.ts ++++ b/src/parse.ts +@@ -81,7 +81,7 @@ export type TraversalType = + const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/; + const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi; + // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +-const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:(\S?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/; ++const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/; + + const actionTypes: { [key: string]: AttributeAction } = { + undefined: "exists", diff -Nru node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch --- node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-4.0.0/debian/patches/0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch 2023-03-01 13:47:23.000000000 +0000 @@ -0,0 +1,55 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Wed, 1 Mar 2023 10:10:47 +0000 +Subject: Partial fix of ReDos CVE-2022-21222/CVE-2021-33587: trim string +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Trim left the string avoiding a \s* at the beginning of the string, thus avoiding part of complexity. + +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +Signed-off-by: Bastien Roucariès +--- + src/parse.ts | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/parse.ts b/src/parse.ts +index 628561b..ad11230 100644 +--- a/src/parse.ts ++++ b/src/parse.ts +@@ -81,7 +81,7 @@ export type TraversalType = + const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/; + const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi; + // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +-const reAttr = /^\s*(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/; ++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/; + + const actionTypes: { [key: string]: AttributeAction } = { + undefined: "exists", +@@ -263,8 +263,13 @@ function parseSelector( + namespace: null, + }); + } else if (firstChar === "[") { ++ const wmatch = selector ++ .slice(selectorIndex + 1) ++ .match(/^\s*/); ++ const woffset = !wmatch ? 0 : wmatch[0].length; ++ + const attributeMatch = selector +- .slice(selectorIndex + 1) ++ .slice(selectorIndex + 1 + woffset) + .match(reAttr); + + if (!attributeMatch) { +@@ -286,7 +291,7 @@ function parseSelector( + ignoreCase, + ] = attributeMatch; + +- selectorIndex += completeSelector.length + 1; ++ selectorIndex += completeSelector.length + 1 + woffset; + let name = unescapeCSS(baseName); + + if (options.lowerCaseAttributeNames ?? !options.xmlMode) { diff -Nru node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch --- node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-4.0.0/debian/patches/0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch 2023-03-01 13:47:23.000000000 +0000 @@ -0,0 +1,33 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Wed, 1 Mar 2023 10:34:56 +0000 +Subject: Partial Fix of ReDos CVE-2022-21222/CVE-2021-33587: push inside + group avoiding (a|a?)+ problem +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Push \s* inside the group + +Signed-off-by: Bastien Roucariès +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +Signed-off-by: Bastien Roucariès +--- + src/parse.ts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/parse.ts b/src/parse.ts +index ad11230..4bca92f 100644 +--- a/src/parse.ts ++++ b/src/parse.ts +@@ -81,7 +81,7 @@ export type TraversalType = + const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/; + const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi; + // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +-const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)|)|)\s*([iI])?\]/; ++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)\s*|)|)([iI])?\]/; + + const actionTypes: { [key: string]: AttributeAction } = { + undefined: "exists", diff -Nru node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch --- node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-4.0.0/debian/patches/0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch 2023-03-01 13:47:23.000000000 +0000 @@ -0,0 +1,33 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Wed, 1 Mar 2023 11:40:39 +0000 +Subject: Partial ReDoS fix CVE-2022-21222/CVE-2021-33587: avoid another + (a|a?)+ +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Replace possibly null combinaison (#?(?:\\.|[\w\u00b0-\uFFFF-])*) by (#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+) + +Signed-off-by: Bastien Roucariès +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +Signed-off-by: Bastien Roucariès +--- + src/parse.ts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/parse.ts b/src/parse.ts +index 4bca92f..fcae1e3 100644 +--- a/src/parse.ts ++++ b/src/parse.ts +@@ -81,7 +81,7 @@ export type TraversalType = + const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/; + const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi; + // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +-const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#?(?:\\.|[\w\u00b0-\uFFFF-])*)\s*|)|)([iI])?\]/; ++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)\s*|)|)([iI])?\]/; + + const actionTypes: { [key: string]: AttributeAction } = { + undefined: "exists", diff -Nru node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch --- node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-4.0.0/debian/patches/0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch 2023-03-01 13:47:23.000000000 +0000 @@ -0,0 +1,34 @@ +From: =?utf-8?q?Bastien_Roucari=C3=A8s?= +Date: Wed, 1 Mar 2023 11:45:48 +0000 +Subject: Final ReDos Fix for CVE-2022-21222/CVE-2021-33587: whitespace fix +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Replace \s that could match whitespace in \u00b0-\uFFFF, by [ \t\n\r\f]* that is space according to css specification + +Upstream version 4.0.0 allowed to match indent name including non breakable UTF, keep this feature. + +Signed-off-by: Bastien Roucariès +bug-debian: https://bugs.debian.org/989264 +bug-debian: https://bugs.debian.org/1032188 +bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 +bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 +Signed-off-by: Bastien Roucariès +--- + src/parse.ts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/parse.ts b/src/parse.ts +index fcae1e3..278eecf 100644 +--- a/src/parse.ts ++++ b/src/parse.ts +@@ -81,7 +81,7 @@ export type TraversalType = + const reName = /^[^\\#]?(?:\\(?:[\da-f]{1,6}\s?|.)|[\w\-\u00b0-\uFFFF])+/; + const reEscape = /\\([\da-f]{1,6}\s?|(\s)|.)/gi; + // Modified version of https://github.com/jquery/sizzle/blob/master/src/sizzle.js#L87 +-const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)\s*(?:([~|^$*!]?)=\s*(?:(['"])((?:[^\\]|\\[^])*?)\4\s*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)\s*|)|)([iI])?\]/; ++const reAttr = /^(?:(\*|[-\w]*)\|)?((?:\\.|[\w\u00b0-\uFFFF-])+)[ \t\n\r\f]*(?:([~|^$*!]?)=[ \t\n\r\f]*(?:(['"])((?:[^\\]|\\[^])*?)\4[ \t\n\r\f]*|(#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+)[ \t\n\r\f]*|)|)([iI])?\]/; + + const actionTypes: { [key: string]: AttributeAction } = { + undefined: "exists", diff -Nru node-css-what-4.0.0/debian/patches/series node-css-what-4.0.0/debian/patches/series --- node-css-what-4.0.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ node-css-what-4.0.0/debian/patches/series 2023-03-01 13:47:23.000000000 +0000 @@ -0,0 +1,5 @@ +0001-Partial-fix-of-reDos-CVE-2022-21222-CVE-2021-33587-a.patch +0002-Partial-fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-t.patch +0003-Partial-Fix-of-ReDos-CVE-2022-21222-CVE-2021-33587-p.patch +0004-Partial-ReDoS-fix-CVE-2022-21222-CVE-2021-33587-avoi.patch +0005-Final-ReDos-Fix-for-CVE-2022-21222-CVE-2021-33587-wh.patch