Version in base suite: 8.7.0+ds+~cs27.17.17-3 Base version: node-mermaid_8.7.0+ds+~cs27.17.17-3 Target version: node-mermaid_8.7.0+ds+~cs27.17.17-3+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-mermaid/node-mermaid_8.7.0+ds+~cs27.17.17-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-mermaid/node-mermaid_8.7.0+ds+~cs27.17.17-3+deb11u1.dsc changelog | 6 +++++ patches/CVE-2021-23648.patch | 46 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 53 insertions(+) diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 2021-06-29 12:46:20.000000000 +0000 +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 2022-03-21 13:06:12.000000000 +0000 @@ -1,3 +1,9 @@ +node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium + + * Decode html entities before sanitizing (Closes: CVE-2021-23648) + + -- Yadd Mon, 21 Mar 2022 14:06:12 +0100 + node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium * Team upload diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-23648.patch node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-23648.patch --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-23648.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-23648.patch 2022-03-21 13:06:12.000000000 +0000 @@ -0,0 +1,46 @@ +Description: decode html entities before sanitizing (fixes XSS) +Author: Blade Barringer +Origin: upstream, https://github.com/braintree/sanitize-url/commit/8f7371ce +Bug: https://github.com/braintree/sanitize-url/pull/40 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-03-21 + +--- a/sanitize-url/index.js ++++ b/sanitize-url/index.js +@@ -1,6 +1,7 @@ + 'use strict'; + + var invalidPrototcolRegex = /^(%20|\s)*(javascript|data)/im; ++const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g; + var ctrlCharactersRegex = /[^\x20-\x7E]/gmi; + var urlSchemeRegex = /^([^:]+):/gm; + var relativeFirstCharacters = ['.', '/']; +@@ -9,15 +10,24 @@ + return relativeFirstCharacters.indexOf(url[0]) > -1; + } + ++// adapted from https://stackoverflow.com/a/29824550/2601552 ++function decodeHtmlCharacters(str) { ++ return str.replace(htmlEntitiesRegex, (match, dec) => { ++ return String.fromCharCode(dec); ++ }); ++} ++ + function sanitizeUrl(url) { + var urlScheme, urlSchemeParseResults, sanitizedUrl; + +- if (!url) { ++ sanitizedUrl = decodeHtmlCharacters(url || "") ++ .replace(ctrlCharactersRegex, "") ++ .trim(); ++ ++ if (!sanitizedUrl) { + return 'about:blank'; + } + +- sanitizedUrl = url.replace(ctrlCharactersRegex, '').trim(); +- + if (isRelativeUrlWithoutProtocol(sanitizedUrl)) { + return sanitizedUrl; + } diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 2021-06-29 12:41:58.000000000 +0000 +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 2022-03-21 13:06:12.000000000 +0000 @@ -1,3 +1,4 @@ 0002-Fix-unsupported-syntax.patch 0003-Replace-moment-mini-with-moment.patch CVE-2021-35513.patch +CVE-2021-23648.patch