diff --git a/debian/changelog b/debian/changelog index b24445b..6bce149 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-turndown (7.1.1-3deepin1) unstable; urgency=medium + + * Fix CVE-2025-9670: ReDoS vulnerability via regexp bottleneck + + -- deepin-ci-robot Thu, 30 Apr 2026 10:13:11 +0800 + node-turndown (7.1.1-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/cve_2025_9670.patch b/debian/patches/cve_2025_9670.patch new file mode 100644 index 0000000..a54572b --- /dev/null +++ b/debian/patches/cve_2025_9670.patch @@ -0,0 +1,66 @@ +Description: Fix CVE-2025-9670: ReDoS vulnerability via regexp bottleneck + Replace regexp trailing space removal with more optimized method to avoid + regex performance issues. +Author: Martin Čížek +Origin: upstream, https://github.com/mixmark-io/turndown/commit/8ed049935ac235cc009e9a7412c0a6fe6ab5b223 +Bug: https://security-tracker.debian.org/tracker/CVE-2025-9670 +Forwarded: not-needed +Index: github-node-turndown-CVE-2025-9670/src/commonmark-rules.js +=================================================================== +--- github-node-turndown-CVE-2025-9670.orig/src/commonmark-rules.js ++++ github-node-turndown-CVE-2025-9670/src/commonmark-rules.js +@@ -1,4 +1,4 @@ +-import { repeat } from './utilities' ++import { repeat, trimNewlines } from './utilities' + + var rules = {} + +@@ -39,8 +39,7 @@ rules.blockquote = { + filter: 'blockquote', + + replacement: function (content) { +- content = content.replace(/^\n+|\n+$/g, '') +- content = content.replace(/^/gm, '> ') ++ content = trimNewlines(content).replace(/^/gm, "> ") + return '\n\n' + content + '\n\n' + } + } +@@ -62,10 +61,6 @@ rules.listItem = { + filter: 'li', + + replacement: function (content, node, options) { +- content = content +- .replace(/^\n+/, '') // remove leading newlines +- .replace(/\n+$/, '\n') // replace trailing newlines with just a single one +- .replace(/\n/gm, '\n ') // indent + var prefix = options.bulletListMarker + ' ' + var parent = node.parentNode + if (parent.nodeName === 'OL') { +@@ -73,8 +68,11 @@ rules.listItem = { + var index = Array.prototype.indexOf.call(parent.children, node) + prefix = (start ? Number(start) + index : index + 1) + '. ' + } ++ var isParagraph = /\n$/.test(content) ++ content = trimNewlines(content) + (isParagraph ? '\n' : '') ++ content = content.replace(/\n/gm, '\n' + ' '.repeat(prefix.length)) // indent + return ( +- prefix + content + (node.nextSibling && !/\n$/.test(content) ? '\n' : '') ++ prefix + content + (node.nextSibling ? '\n' : '') + ) + } + } +Index: github-node-turndown-CVE-2025-9670/src/utilities.js +=================================================================== +--- github-node-turndown-CVE-2025-9670.orig/src/utilities.js ++++ github-node-turndown-CVE-2025-9670/src/utilities.js +@@ -23,6 +23,10 @@ export function trimTrailingNewlines (st + return string.substring(0, indexEnd) + } + ++export function trimNewlines (string) { ++ return trimTrailingNewlines(trimLeadingNewlines(string)) ++} ++ + export var blockElements = [ + 'ADDRESS', 'ARTICLE', 'ASIDE', 'AUDIO', 'BLOCKQUOTE', 'BODY', 'CANVAS', + 'CENTER', 'DD', 'DIR', 'DIV', 'DL', 'DT', 'FIELDSET', 'FIGCAPTION', 'FIGURE', diff --git a/debian/patches/series b/debian/patches/series index bfefb9a..ccc85e0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ ship_typescript_definitions.patch fix-for-rollup-3.patch +cve_2025_9670.patch