[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1091460: marked as done (bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1)

Your message dated Sat, 15 Mar 2025 09:44:44 +0000
with message-id <E1ttO4S-005KlS-JY@coccia.debian.org>
and subject line Close 1091460
has caused the Debian Bug report #1091460,
regarding bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1091460: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091460
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-postcss@packages.debian.org
Control: affects -1 + src:node-postcss
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]
Fix CVE-2023-44270 (Closes: #1053282)
    The vulnerability affects linters
    using PostCSS to parse external untrusted CSS.
    An attacker can prepare CSS in such a way that it will
    contains parts parsed by PostCSS as a CSS comment.
    After processing by PostCSS, it will be included in
    the PostCSS output in CSS nodes (rules, properties)
    despite being included in a comment.
* Fix CVE-2024-55565:
    nanoid (aka Nano ID) a subcomponent of this package
    mishandles non-integer values that could lead to DoS
    by infinite loop.

[ Impact ]
Security bug opened

[ Tests ]
Testsuite run

[ Risks ]
low code is pretty straighforward

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Team upload

diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
--- node-postcss-8.4.20+~cs8.0.23/debian/changelog	2022-12-12 16:48:49.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/changelog	2024-12-26 21:13:18.000000000 +0000
@@ -1,3 +1,21 @@
+node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium
+
+  * Team upload
+  * Fix CVE-2023-44270 (Closes: #1053282)
+    The vulnerability affects linters
+    using PostCSS to parse external untrusted CSS.
+    An attacker can prepare CSS in such a way that it will
+    contains parts parsed by PostCSS as a CSS comment.
+    After processing by PostCSS, it will be included in
+    the PostCSS output in CSS nodes (rules, properties)
+    despite being included in a comment.
+  * Fix CVE-2024-55565:
+    nanoid (aka Nano ID) a subcomponent of this package
+    mishandles non-integer values that could lead to DoS
+    by infinite loop.
+
+ -- Bastien Roucariès <rouca@debian.org>  Thu, 26 Dec 2024 21:13:18 +0000
+
 node-postcss (8.4.20+~cs8.0.23-1) unstable; urgency=medium
 
   * Team upload
diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch
--- node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch	2024-12-26 21:13:18.000000000 +0000
@@ -0,0 +1,42 @@
+From: Andrey Sitnik <andrey@sitnik.ru>
+Date: Fri, 29 Sep 2023 00:07:58 +0200
+Subject: CVE-2023-44270 Fix carrier return parsing
+
+origin: https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053282
+bug-github: https://github.com/github/advisory-database/issues/2820
+---
+ lib/tokenize.js    | 2 +-
+ test/parse.test.ts | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/tokenize.js b/lib/tokenize.js
+index 8dac706..e5b0ad5 100644
+--- a/lib/tokenize.js
++++ b/lib/tokenize.js
+@@ -22,7 +22,7 @@ const AT = '@'.charCodeAt(0)
+ 
+ const RE_AT_END = /[\t\n\f\r "#'()/;[\\\]{}]/g
+ const RE_WORD_END = /[\t\n\f\r !"#'():;@[\\\]{}]|\/(?=\*)/g
+-const RE_BAD_BRACKET = /.[\n"'(/\\]/
++const RE_BAD_BRACKET = /.[\r\n"'(/\\]/
+ const RE_HEX_ESCAPE = /[\da-f]/i
+ 
+ module.exports = function tokenizer(input, options = {}) {
+diff --git a/test/parse.test.ts b/test/parse.test.ts
+index 7513ebf..8573299 100755
+--- a/test/parse.test.ts
++++ b/test/parse.test.ts
+@@ -34,6 +34,12 @@ test('should has false at hasBOM property', () => {
+   is(css.first?.source?.input.hasBOM, false)
+ })
+ 
++test('parses carrier return', () => {
++  throws(() => {
++    parse('@font-face{ font:(\r/*);} body { a: "a*/)} a{}"}')
++  }, /:1:46: Unclosed string/)
++})
++
+ test('saves source file', () => {
+   let css = parse('a {}', { from: 'a.css' })
+   is(css.first?.source?.input.css, 'a {}')
diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch
--- node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch	2024-12-26 21:13:18.000000000 +0000
@@ -0,0 +1,177 @@
+From: Kris Reeves <kris@pressbuttonllc.com>
+Date: Tue, 26 Nov 2024 03:31:28 -0800
+Subject: CVE-2024-55565 Fix pool pollution, infinite loop (#510)
+
+* Fix pool pollution, infinite loop
+
+When nanoid is called with a fractional value, there were a number
+of undesirable effects:
+- in browser and non-secure, the code infinite loops on `while (size--)`
+- in node, the value of poolOffset becomes fractional, causing calls to
+  nanoid to return zeroes until the pool is next filled: when `i` is
+  initialized to `poolOffset`, `pool[i] & 63` -> `undefined & 63` -> `0`
+- if the first call in node is a fractional argument, the initial buffer
+  allocation fails with an error
+
+I chose `|0` to cast to a signed integer primarily because that has a
+slightly better outcome in the third case above: if the first call is
+negative (e.g. `nanoid(-1)`) then Node will throw an error for an
+invalid Buffer size, rather than attempting to allocate a buffer of
+size `2**32-1`. It's also more compact than `>>>0`, which would be
+necessary to cast to an unsigned integer. I don't _think_ there is
+a use case for generating ids longer than `2**31-1` :)
+
+The browser code is structured in such a way that casting `size` in
+`customRandom` succinctly isn't readily feasible. I chose to cast it
+at the line `let j = step | 0` since casting defaultSize would not
+fix the infinite loop in all cases, and the other use of defaultSize
+is to define the step length which is already shown to be fractional
+and gets cast to an integer with `~` anyway.
+
+As for the `nanoid` function, `new Uint8Array(size)` ignores the
+fractional part, and `size` doesn't get used further - the function
+instead calls reduce over the typed array.
+
+In the Node/native async customAlphabet variant, I chose to convert
+the `id.length === size` check to `id.length >= size`, which handles
+the fractional case and avoids the infinite loop; `size` is not used
+for anything else there.
+
+origin: backport, https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c
+bug: https://github.com/ai/nanoid/pull/510
+---
+ nanoid/async/index.browser.js | 4 ++--
+ nanoid/async/index.js         | 4 ++--
+ nanoid/async/index.native.js  | 4 ++--
+ nanoid/index.browser.js       | 2 +-
+ nanoid/index.js               | 8 ++++----
+ nanoid/non-secure/index.js    | 4 ++--
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/nanoid/async/index.browser.js b/nanoid/async/index.browser.js
+index 8e57003..c955dc9 100644
+--- a/nanoid/async/index.browser.js
++++ b/nanoid/async/index.browser.js
+@@ -29,7 +29,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+     while (true) {
+       let bytes = crypto.getRandomValues(new Uint8Array(step))
+       // A compact alternative for `for (var i = 0; i < step; i++)`.
+-      let i = step
++      let i = step | 0
+       while (i--) {
+         // Adding `|| ''` refuses a random byte that exceeds the alphabet size.
+         id += alphabet[bytes[i] & mask] || ''
+@@ -41,7 +41,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+ 
+ export let nanoid = async (size = 21) => {
+   let id = ''
+-  let bytes = crypto.getRandomValues(new Uint8Array(size))
++  let bytes = crypto.getRandomValues(new Uint8Array((size |= 0)))
+ 
+   // A compact alternative for `for (var i = 0; i < step; i++)`.
+   while (size--) {
+diff --git a/nanoid/async/index.js b/nanoid/async/index.js
+index 0602637..d25a4e6 100644
+--- a/nanoid/async/index.js
++++ b/nanoid/async/index.js
+@@ -46,7 +46,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+       while (i--) {
+         // Adding `|| ''` refuses a random byte that exceeds the alphabet size.
+         id += alphabet[bytes[i] & mask] || ''
+-        if (id.length === size) return id
++        if (id.length >= size) return id
+       }
+       /* c8 ignore next */
+       return tick(id, size)
+@@ -56,7 +56,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+ }
+ 
+ export let nanoid = (size = 21) =>
+-  random(size).then(bytes => {
++  random((size |= 0)).then(bytes => {
+     let id = ''
+     // A compact alternative for `for (var i = 0; i < step; i++)`.
+     while (size--) {
+diff --git a/nanoid/async/index.native.js b/nanoid/async/index.native.js
+index b2fbeb4..d283e06 100644
+--- a/nanoid/async/index.native.js
++++ b/nanoid/async/index.native.js
+@@ -31,7 +31,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+       while (i--) {
+         // Adding `|| ''` refuses a random byte that exceeds the alphabet size.
+         id += alphabet[bytes[i] & mask] || ''
+-        if (id.length === size) return id
++        if (id.length >= size) return id
+       }
+       return tick(id, size)
+     })
+@@ -40,7 +40,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+ }
+ 
+ export let nanoid = (size = 21) =>
+-  random(size).then(bytes => {
++  random((size |= 0)).then(bytes => {
+     let id = ''
+     // A compact alternative for `for (var i = 0; i < step; i++)`.
+     while (size--) {
+diff --git a/nanoid/index.browser.js b/nanoid/index.browser.js
+index 090a1a9..070555c 100644
+--- a/nanoid/index.browser.js
++++ b/nanoid/index.browser.js
+@@ -34,7 +34,7 @@ export let customRandom = (alphabet, defaultSize, getRandom) => {
+     while (true) {
+       let bytes = getRandom(step)
+       // A compact alternative for `for (var i = 0; i < step; i++)`.
+-      let j = step
++      let j = step | 0
+       while (j--) {
+         // Adding `|| ''` refuses a random byte that exceeds the alphabet size.
+         id += alphabet[bytes[j] & mask] || ''
+diff --git a/nanoid/index.js b/nanoid/index.js
+index a7f828a..1d5ce30 100644
+--- a/nanoid/index.js
++++ b/nanoid/index.js
+@@ -25,8 +25,8 @@ let fillPool = bytes => {
+ }
+ 
+ export let random = bytes => {
+-  // `-=` convert `bytes` to number to prevent `valueOf` abusing
+-  fillPool((bytes -= 0))
++  // `|=` convert `bytes` to number to prevent `valueOf` abusing
++  fillPool((bytes |= 0))
+   return pool.subarray(poolOffset - bytes, poolOffset)
+ }
+ 
+@@ -69,8 +69,8 @@ export let customAlphabet = (alphabet, size = 21) =>
+   customRandom(alphabet, size, random)
+ 
+ export let nanoid = (size = 21) => {
+-  // `-=` convert `size` to number to prevent `valueOf` abusing
+-  fillPool((size -= 0))
++  // `|=` convert `size` to number to prevent `valueOf` abusing
++  fillPool((size |= 0))
+   let id = ''
+   // We are reading directly from the random pool to avoid creating new array
+   for (let i = poolOffset - size; i < poolOffset; i++) {
+diff --git a/nanoid/non-secure/index.js b/nanoid/non-secure/index.js
+index 78e522f..3c3e43b 100644
+--- a/nanoid/non-secure/index.js
++++ b/nanoid/non-secure/index.js
+@@ -11,7 +11,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+   return (size = defaultSize) => {
+     let id = ''
+     // A compact alternative for `for (var i = 0; i < step; i++)`.
+-    let i = size
++    let i = size | 0
+     while (i--) {
+       // `| 0` is more compact and faster than `Math.floor()`.
+       id += alphabet[(Math.random() * alphabet.length) | 0]
+@@ -23,7 +23,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => {
+ export let nanoid = (size = 21) => {
+   let id = ''
+   // A compact alternative for `for (var i = 0; i < step; i++)`.
+-  let i = size
++  let i = size | 0
+   while (i--) {
+     // `| 0` is more compact and faster than `Math.floor()`.
+     id += urlAlphabet[(Math.random() * 64) | 0]
diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/series node-postcss-8.4.20+~cs8.0.23/debian/patches/series
--- node-postcss-8.4.20+~cs8.0.23/debian/patches/series	2022-07-04 08:54:19.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/patches/series	2024-12-26 21:13:18.000000000 +0000
@@ -1 +1,3 @@
 nanoid-commonjs.patch
+CVE-2023-44270.patch
+CVE-2024-55565.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Version: 12.10
This update has been released as part of 12.10. Thank you for your contribution.

--- End Message ---
Reply to: