Bug 2114794 (CVE-2022-25758)

Summary: CVE-2022-25758 scss-tokenizer: Regular expression denial of service in scss-tokenizer
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agerstmayr, aileenc, alazarot, anstephe, aoconnor, bbuckingham, bcourt, bmontgom, bniver, chazlett, ego.cordatus, ehelms, emingora, eparis, extras-orphan, flucifre, gmalinko, gmeno, gparvin, grafana-maint, ibek, idm-ds-dev-bugs, janstey, jburrell, jhadvig, jkurik, jochrist, jrokos, jshaughn, jsherril, jwendell, jwon, kverlaen, lzap, mbenjamin, mhackett, mhulan, mmccune, mnovotny, mpitt, nathans, njean, nmoumoul, nstielau, orabin, pahickey, pcreech, pdelbell, pjindal, rcernich, rchan, rguimara, sostapov, sponnaga, stcannon, twalsh, tzimanyi, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: scss-tokenizer 0.4.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the scss-tokenizer package. Affected versions of this package are vulnerable to a regular expression denial of service (ReDoS) attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2114795, 2114797, 2114798, 2114799, 2114800, 2114801, 2114802, 2114803, 2114804, 2114811, 2114812, 2114813, 2115670, 2115671, 2115672, 2115673, 2115674, 2115675, 2116909    
Bug Blocks: 2103716    

Description Avinash Hanwate 2022-08-03 09:51:10 UTC 
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782
https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
https://github.com/sasstools/scss-tokenizer/issues/45
Comment 1 Avinash Hanwate 2022-08-03 09:51:35 UTC 
Created gnome-shell-extension-material-shell tracking bugs for this issue:

Affects: fedora-all [bug 2114795]
Comment 11 Przemyslaw Roguski 2022-09-14 13:42:52 UTC 
In the comment 0 there is an incorrect link to upstream issue.
https://github.com/sasstools/scss-tokenizer/issues/45 is related to previous CVE-2021-23382

The correct upstream issue for the CVE-2022-25758 is:
https://github.com/sasstools/scss-tokenizer/issues/48
Upstream fix is: https://github.com/sasstools/scss-tokenizer/pull/49