Package: release.debian.org Severity: normal X-Debbugs-Cc: node-js...@packages.debian.org, secur...@debian.org, car...@debian.org Control: affects -1 + src:node-jsdom User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-jsdom [ Reason ] Affected by a ReDoS (outside upstream security support) but this block autopkgtest for angular.js affected by about 10 CVEs [ Impact ] Fix a ReDoS [ Tests ] testsuite [ Risks ] Low [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Will like to have angular.js fixed in trixie. unblock node-jsdom/20.0.3+~cs124.18.21-5
diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/changelog node-jsdom-20.0.3+~cs124.18.21/debian/changelog --- node-jsdom-20.0.3+~cs124.18.21/debian/changelog 2023-11-25 04:15:10.000000000 +0100 +++ node-jsdom-20.0.3+~cs124.18.21/debian/changelog 2025-06-28 22:22:20.000000000 +0200 @@ -1,3 +1,10 @@ +node-jsdom (20.0.3+~cs124.18.21-5) unstable; urgency=medium + + * Team upload + * Avoid a ReDos in string.js + + -- Bastien Roucariès <ro...@debian.org> Sat, 28 Jun 2025 22:22:20 +0200 + node-jsdom (20.0.3+~cs124.18.21-4) unstable; urgency=medium * Team upload diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch --- node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch 1970-01-01 01:00:00.000000000 +0100 +++ node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch 2025-06-28 22:22:20.000000000 +0200 @@ -0,0 +1,61 @@ +From 0848d35195fada87b1fedab0f6a566308a892a6a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bastien=20Roucari=C3=A8s?= <ro...@debian.org> +Date: Sat, 28 Jun 2025 22:21:06 +0200 +Subject: [PATCH] Avoid a ReDos in string.js + +[ ab]+$ is a ReDoS and crash a regression test on debian + +forwarded: https://github.com/jsdom/jsdom/pull/3896 +--- + lib/jsdom/living/helpers/strings.js | 34 +++++++++++++++++++++++++++-- + 1 file changed, 32 insertions(+), 2 deletions(-) + +Index: node-jsdom/lib/jsdom/living/helpers/strings.js +=================================================================== +--- node-jsdom.orig/lib/jsdom/living/helpers/strings.js 2025-06-28 23:33:35.777608315 +0200 ++++ node-jsdom/lib/jsdom/living/helpers/strings.js 2025-06-28 23:33:35.777608315 +0200 +@@ -21,12 +21,42 @@ + + // https://infra.spec.whatwg.org/#strip-leading-and-trailing-ascii-whitespace + exports.stripLeadingAndTrailingASCIIWhitespace = s => { +- return s.replace(/^[ \t\n\f\r]+/, "").replace(/[ \t\n\f\r]+$/, ""); ++ const beg = s.replace(/^[ \t\n\f\r]+/, ""); ++ // replace(/[ \t\n\f\r]+$/, "") without ReDoS ++ let i = beg.length - 1; ++ while (i >= 0) { ++ switch (beg[i]) { ++ case " ": ++ case "\t": ++ case "\n": ++ case "\f": ++ case "\r": ++ i--; ++ continue; ++ } ++ break; ++ } ++ return beg.slice(0, i + 1); + }; + + // https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace + exports.stripAndCollapseASCIIWhitespace = s => { +- return s.replace(/[ \t\n\f\r]+/g, " ").replace(/^[ \t\n\f\r]+/, "").replace(/[ \t\n\f\r]+$/, ""); ++ const beg = s.replace(/[ \t\n\f\r]+/g, " ").replace(/^[ \t\n\f\r]+/, ""); ++ // replace(/[ \t\n\f\r]+$/, "") without ReDoS ++ let i = beg.length - 1; ++ while (i >= 0) { ++ switch (beg[i]) { ++ case " ": ++ case "\t": ++ case "\n": ++ case "\f": ++ case "\r": ++ i--; ++ continue; ++ } ++ break; ++ } ++ return beg.slice(0, i + 1); + }; + + // https://html.spec.whatwg.org/multipage/infrastructure.html#valid-simple-colour diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/patches/series node-jsdom-20.0.3+~cs124.18.21/debian/patches/series --- node-jsdom-20.0.3+~cs124.18.21/debian/patches/series 2023-11-24 03:47:02.000000000 +0100 +++ node-jsdom-20.0.3+~cs124.18.21/debian/patches/series 2025-06-28 22:21:38.000000000 +0200 @@ -2,3 +2,4 @@ fix-test.patch tsc-workaround.patch fix-for-https-proxy-agent-7.patch +0005-Avoid-a-ReDos-in-string.js.patch
signature.asc
Description: This is a digitally signed message part.
