Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-ansi-regex is vulnerable to a ReDoS (CVE-2021-3807)
[ Impact ]
Little vulnerability
[ Tests ]
Test passed (no change)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex improvement
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 92aa3dc..095e7f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ansi-regex (3.0.0-1+deb10u1) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3807)
+
+ -- Yadd Wed, 22 Sep 2021 09:12:15 +0200
+
node-ansi-regex (3.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-3807.patch
b/debian/patches/CVE-2021-3807.patch
new file mode 100644
index 000..b5efa42
--- /dev/null
+++ b/debian/patches/CVE-2021-3807.patch
@@ -0,0 +1,19 @@
+Description: Fix potential ReDoS
+Author: Yeting Li
+Origin: upstream, https://github.com/chalk/ansi-regex/commit/8d1d7cdb
+Bug: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-22
+
+--- a/index.js
b/index.js
+@@ -2,7 +2,7 @@
+
+ module.exports = () => {
+ const pattern = [
+-
'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
++
'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
+ ].join('|');
+
diff --git a/debian/patches/series b/debian/patches/series
index c508ffd..38e81d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
00-mocha.diff
+CVE-2021-3807.patch