Package: node-css-what / 4.0.0-3+deb11u1
Metadata
| Package | Version | Patches format |
|---|---|---|
| node-css-what | 4.0.0-3+deb11u1 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| 0001 Partial fix of reDos CVE 2022 21222 CVE 2021 33587 a.patch | (download) |
src/parse.ts |
2 1 + 1 - 0 ! |
partial fix of redos cve-2022-21222/cve-2021-33587: attribute selector MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Per https://w3c.github.io/csswg-drafts/selectors/#attribute-selectors only = ~= |= ^= $= *= are supported. Add also != that is checked as invalid latter in order to pass testsuite. So replace \S by [~|^$*!] Signed-off-by: Bastien Roucaris <rouca@debian.org> bug-debian: https://bugs.debian.org/989264 bug-debian: https://bugs.debian.org/1032188 bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 |
| 0002 Partial fix of ReDos CVE 2022 21222 CVE 2021 33587 t.patch | (download) |
src/parse.ts |
11 8 + 3 - 0 ! |
partial fix of redos cve-2022-21222/cve-2021-33587: trim string MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Trim left the string avoiding a \s* at the beginning of the string, thus avoiding part of complexity. bug-debian: https://bugs.debian.org/989264 bug-debian: https://bugs.debian.org/1032188 bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 Signed-off-by: Bastien Roucaris <rouca@debian.org> |
| 0003 Partial Fix of ReDos CVE 2022 21222 CVE 2021 33587 p.patch | (download) |
src/parse.ts |
2 1 + 1 - 0 ! |
partial fix of redos cve-2022-21222/cve-2021-33587: push inside group avoiding (a|a?)+ problem MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Push \s* inside the group Signed-off-by: Bastien Roucaris <rouca@debian.org> bug-debian: https://bugs.debian.org/989264 bug-debian: https://bugs.debian.org/1032188 bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 Signed-off-by: Bastien Roucaris <rouca@debian.org> |
| 0004 Partial ReDoS fix CVE 2022 21222 CVE 2021 33587 avoi.patch | (download) |
src/parse.ts |
2 1 + 1 - 0 ! |
partial redos fix cve-2022-21222/cve-2021-33587: avoid another (a|a?)+ MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Replace possibly null combinaison (#?(?:\\.|[\w\u00b0-\uFFFF-])*) by (#(?:\\.|[\w\u00b0-\uFFFF-])*|(?:\\.|[\w\u00b0-\uFFFF-])+) Signed-off-by: Bastien Roucaris <rouca@debian.org> bug-debian: https://bugs.debian.org/989264 bug-debian: https://bugs.debian.org/1032188 bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 Signed-off-by: Bastien Roucaris <rouca@debian.org> |
| 0005 Final ReDos Fix for CVE 2022 21222 CVE 2021 33587 wh.patch | (download) |
src/parse.ts |
2 1 + 1 - 0 ! |
final redos fix for cve-2022-21222/cve-2021-33587: whitespace fix MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Replace \s that could match whitespace in \u00b0-\uFFFF, by [ \t\n\r\f]* that is space according to css specification Upstream version 4.0.0 allowed to match indent name including non breakable UTF, keep this feature. Signed-off-by: Bastien Roucaris <rouca@debian.org> bug-debian: https://bugs.debian.org/989264 bug-debian: https://bugs.debian.org/1032188 bug: https://www.cve.org/CVERecord?id=CVE-2022-21222 bug: https://www.cve.org/CVERecord?id=CVE-2021-33587 Signed-off-by: Bastien Roucaris <rouca@debian.org> |
1