Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-ansi-regex is vulnerable to a ReDoS (CVE-2021-3807) [ Impact ] Little vulnerability [ Tests ] Test passed (no change) [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Regex improvement Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 92aa3dc..095e7f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-ansi-regex (3.0.0-1+deb10u1) unstable; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-3807) + + -- Yadd <y...@debian.org> Wed, 22 Sep 2021 09:12:15 +0200 + node-ansi-regex (3.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-3807.patch b/debian/patches/CVE-2021-3807.patch new file mode 100644 index 0000000..b5efa42 --- /dev/null +++ b/debian/patches/CVE-2021-3807.patch @@ -0,0 +1,19 @@ +Description: Fix potential ReDoS +Author: Yeting Li <l...@ios.ac.cn> +Origin: upstream, https://github.com/chalk/ansi-regex/commit/8d1d7cdb +Bug: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-09-22 + +--- a/index.js ++++ b/index.js +@@ -2,7 +2,7 @@ + + module.exports = () => { + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))' + ].join('|'); + diff --git a/debian/patches/series b/debian/patches/series index c508ffd..38e81d3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 00-mocha.diff +CVE-2021-3807.patch