Le 29/04/2021 à 10:32, Yadd a écrit : > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > X-Debbugs-Cc: [email protected] > > Please unblock package node-postcss > > [ Reason ] > node-postcss is vulnerable to a Regex Denial of Service (ReDoS) > > [ Impact ] > Medium vulnerability > > [ Tests ] > I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE > prove of concepts > > [ Risks ] > No risk, this is just a regex improvement. > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > Cheers, > Yadd > > unblock node-postcss/8.2.1+~cs5.3.23-7
I added a missing `set -e` in security test. autopkgtest works fine with my patch and fail without. Cheers, Yadd unblock node-postcss/8.2.1+~cs5.3.23-8
diff --git a/debian/changelog b/debian/changelog index f7ffc04..cf21277 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +node-postcss (8.2.1+~cs5.3.23-8) unstable; urgency=medium + + * Team upload + * Add missing `set -e` in security test + + -- Yadd <[email protected]> Thu, 29 Apr 2021 10:44:29 +0200 + +node-postcss (8.2.1+~cs5.3.23-7) unstable; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-23382) + * Add autopkgtest files for CVE-2021-23368 and CVE-2021-23382 + + -- Yadd <[email protected]> Thu, 29 Apr 2021 10:24:48 +0200 + node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-23382.patch b/debian/patches/CVE-2021-23382.patch new file mode 100644 index 0000000..a953851 --- /dev/null +++ b/debian/patches/CVE-2021-23382.patch @@ -0,0 +1,25 @@ +Description: Fix ReDoS in previous-map +Author: Yeting Li <[email protected]> +Origin: upstream, https://github.com/postcss/postcss/commit/2ad1ca9b +Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-04-29 + +--- a/lib/previous-map.js ++++ b/lib/previous-map.js +@@ -49,12 +49,12 @@ + + getAnnotationURL (sourceMapString) { + return sourceMapString +- .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1] ++ .match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1] + .trim() + } + + loadAnnotation (css) { +- let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm) ++ let annotations = css.match(/\/\*\s*# sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm) + + if (annotations && annotations.length > 0) { + // Locate the last sourceMappingURL to avoid picking up diff --git a/debian/patches/series b/debian/patches/series index 1be7968..2e873a9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2021-23368.patch +CVE-2021-23382.patch diff --git a/debian/tests/CVE-2021-23368.js b/debian/tests/CVE-2021-23368.js new file mode 100644 index 0000000..1a8b09c --- /dev/null +++ b/debian/tests/CVE-2021-23368.js @@ -0,0 +1,32 @@ +var postcss = require("postcss") + +const startTime = Date.now(); + +function build_attack(n) { + var ret = "a{}/*# sourceMappingURL=" + for (var i = 0; i < n; i++) { + ret += " " + } + return ret + "!"; +} + +// postcss.parse('a{}/*# sourceMappingURL=a.css.map */') +for(var i = 1; i <= 500000; i++) { + if (i % 10000 == 0) { + var time = Date.now(); + var attack_str = build_attack(i) + try{ + postcss.parse(attack_str) + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + catch(e){ + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + } + if(Date.now() - time > 10000) { + console.error('Vulnerable to CVE-2021-23368'); + process.exit(1); + } +} diff --git a/debian/tests/CVE-2021-23382.js b/debian/tests/CVE-2021-23382.js new file mode 100644 index 0000000..c891279 --- /dev/null +++ b/debian/tests/CVE-2021-23382.js @@ -0,0 +1,32 @@ +var postcss = require("postcss") + +const startTime = Date.now(); + +function build_attack(n) { + var ret = "a{}" + for (var i = 0; i < n; i++) { + ret += "/*# sourceMappingURL=" + } + return ret + "!"; +} + +// postcss.parse('a{}/*# sourceMappingURL=a.css.map */') +for(var i = 1; i <= 500000; i++) { + if (i % 1000 == 0) { + var time = Date.now(); + var attack_str = build_attack(i) + try{ + postcss.parse(attack_str) + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + catch(e){ + var time_cost = Date.now() - time; + console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); + } + } + if(Date.now() - time > 10000) { + console.error('Vulnerable to CVE-2021-23368'); + process.exit(1); + } +} diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..40ea2e2 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,2 @@ +Tests: security +Depends: @ diff --git a/debian/tests/security b/debian/tests/security new file mode 100755 index 0000000..3e43248 --- /dev/null +++ b/debian/tests/security @@ -0,0 +1,6 @@ +#!/bin/bash + +set -e + +node ./debian/tests/CVE-2021-23368.js +node ./debian/tests/CVE-2021-23382.js
