Your message dated Sat, 15 Mar 2025 09:44:44 +0000 with message-id <E1ttO4S-005KlS-JY@coccia.debian.org> and subject line Close 1091460 has caused the Debian Bug report #1091460, regarding bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1091460: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091460 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
- From: Bastien Roucariès <rouca@debian.org>
- Date: Thu, 26 Dec 2024 21:38:26 +0000
- Message-id: <2994493.Tc5OWPbECp@portable-bastien>
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: node-postcss@packages.debian.org Control: affects -1 + src:node-postcss User: release.debian.org@packages.debian.org Usertags: pu [ Reason ] Fix CVE-2023-44270 (Closes: #1053282) The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being included in a comment. * Fix CVE-2024-55565: nanoid (aka Nano ID) a subcomponent of this package mishandles non-integer values that could lead to DoS by infinite loop. [ Impact ] Security bug opened [ Tests ] Testsuite run [ Risks ] low code is pretty straighforward [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] see above [ Other info ] Team uploaddiff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog --- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000 @@ -1,3 +1,21 @@ +node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium + + * Team upload + * Fix CVE-2023-44270 (Closes: #1053282) + The vulnerability affects linters + using PostCSS to parse external untrusted CSS. + An attacker can prepare CSS in such a way that it will + contains parts parsed by PostCSS as a CSS comment. + After processing by PostCSS, it will be included in + the PostCSS output in CSS nodes (rules, properties) + despite being included in a comment. + * Fix CVE-2024-55565: + nanoid (aka Nano ID) a subcomponent of this package + mishandles non-integer values that could lead to DoS + by infinite loop. + + -- Bastien Roucariès <rouca@debian.org> Thu, 26 Dec 2024 21:13:18 +0000 + node-postcss (8.4.20+~cs8.0.23-1) unstable; urgency=medium * Team upload diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch --- node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch 2024-12-26 21:13:18.000000000 +0000 @@ -0,0 +1,42 @@ +From: Andrey Sitnik <andrey@sitnik.ru> +Date: Fri, 29 Sep 2023 00:07:58 +0200 +Subject: CVE-2023-44270 Fix carrier return parsing + +origin: https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053282 +bug-github: https://github.com/github/advisory-database/issues/2820 +--- + lib/tokenize.js | 2 +- + test/parse.test.ts | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/tokenize.js b/lib/tokenize.js +index 8dac706..e5b0ad5 100644 +--- a/lib/tokenize.js ++++ b/lib/tokenize.js +@@ -22,7 +22,7 @@ const AT = '@'.charCodeAt(0) + + const RE_AT_END = /[\t\n\f\r "#'()/;[\\\]{}]/g + const RE_WORD_END = /[\t\n\f\r !"#'():;@[\\\]{}]|\/(?=\*)/g +-const RE_BAD_BRACKET = /.[\n"'(/\\]/ ++const RE_BAD_BRACKET = /.[\r\n"'(/\\]/ + const RE_HEX_ESCAPE = /[\da-f]/i + + module.exports = function tokenizer(input, options = {}) { +diff --git a/test/parse.test.ts b/test/parse.test.ts +index 7513ebf..8573299 100755 +--- a/test/parse.test.ts ++++ b/test/parse.test.ts +@@ -34,6 +34,12 @@ test('should has false at hasBOM property', () => { + is(css.first?.source?.input.hasBOM, false) + }) + ++test('parses carrier return', () => { ++ throws(() => { ++ parse('@font-face{ font:(\r/*);} body { a: "a*/)} a{}"}') ++ }, /:1:46: Unclosed string/) ++}) ++ + test('saves source file', () => { + let css = parse('a {}', { from: 'a.css' }) + is(css.first?.source?.input.css, 'a {}') diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch --- node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch 2024-12-26 21:13:18.000000000 +0000 @@ -0,0 +1,177 @@ +From: Kris Reeves <kris@pressbuttonllc.com> +Date: Tue, 26 Nov 2024 03:31:28 -0800 +Subject: CVE-2024-55565 Fix pool pollution, infinite loop (#510) + +* Fix pool pollution, infinite loop + +When nanoid is called with a fractional value, there were a number +of undesirable effects: +- in browser and non-secure, the code infinite loops on `while (size--)` +- in node, the value of poolOffset becomes fractional, causing calls to + nanoid to return zeroes until the pool is next filled: when `i` is + initialized to `poolOffset`, `pool[i] & 63` -> `undefined & 63` -> `0` +- if the first call in node is a fractional argument, the initial buffer + allocation fails with an error + +I chose `|0` to cast to a signed integer primarily because that has a +slightly better outcome in the third case above: if the first call is +negative (e.g. `nanoid(-1)`) then Node will throw an error for an +invalid Buffer size, rather than attempting to allocate a buffer of +size `2**32-1`. It's also more compact than `>>>0`, which would be +necessary to cast to an unsigned integer. I don't _think_ there is +a use case for generating ids longer than `2**31-1` :) + +The browser code is structured in such a way that casting `size` in +`customRandom` succinctly isn't readily feasible. I chose to cast it +at the line `let j = step | 0` since casting defaultSize would not +fix the infinite loop in all cases, and the other use of defaultSize +is to define the step length which is already shown to be fractional +and gets cast to an integer with `~` anyway. + +As for the `nanoid` function, `new Uint8Array(size)` ignores the +fractional part, and `size` doesn't get used further - the function +instead calls reduce over the typed array. + +In the Node/native async customAlphabet variant, I chose to convert +the `id.length === size` check to `id.length >= size`, which handles +the fractional case and avoids the infinite loop; `size` is not used +for anything else there. + +origin: backport, https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c +bug: https://github.com/ai/nanoid/pull/510 +--- + nanoid/async/index.browser.js | 4 ++-- + nanoid/async/index.js | 4 ++-- + nanoid/async/index.native.js | 4 ++-- + nanoid/index.browser.js | 2 +- + nanoid/index.js | 8 ++++---- + nanoid/non-secure/index.js | 4 ++-- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/nanoid/async/index.browser.js b/nanoid/async/index.browser.js +index 8e57003..c955dc9 100644 +--- a/nanoid/async/index.browser.js ++++ b/nanoid/async/index.browser.js +@@ -29,7 +29,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + while (true) { + let bytes = crypto.getRandomValues(new Uint8Array(step)) + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let i = step ++ let i = step | 0 + while (i--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[i] & mask] || '' +@@ -41,7 +41,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + + export let nanoid = async (size = 21) => { + let id = '' +- let bytes = crypto.getRandomValues(new Uint8Array(size)) ++ let bytes = crypto.getRandomValues(new Uint8Array((size |= 0))) + + // A compact alternative for `for (var i = 0; i < step; i++)`. + while (size--) { +diff --git a/nanoid/async/index.js b/nanoid/async/index.js +index 0602637..d25a4e6 100644 +--- a/nanoid/async/index.js ++++ b/nanoid/async/index.js +@@ -46,7 +46,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + while (i--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[i] & mask] || '' +- if (id.length === size) return id ++ if (id.length >= size) return id + } + /* c8 ignore next */ + return tick(id, size) +@@ -56,7 +56,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + } + + export let nanoid = (size = 21) => +- random(size).then(bytes => { ++ random((size |= 0)).then(bytes => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. + while (size--) { +diff --git a/nanoid/async/index.native.js b/nanoid/async/index.native.js +index b2fbeb4..d283e06 100644 +--- a/nanoid/async/index.native.js ++++ b/nanoid/async/index.native.js +@@ -31,7 +31,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + while (i--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[i] & mask] || '' +- if (id.length === size) return id ++ if (id.length >= size) return id + } + return tick(id, size) + }) +@@ -40,7 +40,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + } + + export let nanoid = (size = 21) => +- random(size).then(bytes => { ++ random((size |= 0)).then(bytes => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. + while (size--) { +diff --git a/nanoid/index.browser.js b/nanoid/index.browser.js +index 090a1a9..070555c 100644 +--- a/nanoid/index.browser.js ++++ b/nanoid/index.browser.js +@@ -34,7 +34,7 @@ export let customRandom = (alphabet, defaultSize, getRandom) => { + while (true) { + let bytes = getRandom(step) + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let j = step ++ let j = step | 0 + while (j--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[j] & mask] || '' +diff --git a/nanoid/index.js b/nanoid/index.js +index a7f828a..1d5ce30 100644 +--- a/nanoid/index.js ++++ b/nanoid/index.js +@@ -25,8 +25,8 @@ let fillPool = bytes => { + } + + export let random = bytes => { +- // `-=` convert `bytes` to number to prevent `valueOf` abusing +- fillPool((bytes -= 0)) ++ // `|=` convert `bytes` to number to prevent `valueOf` abusing ++ fillPool((bytes |= 0)) + return pool.subarray(poolOffset - bytes, poolOffset) + } + +@@ -69,8 +69,8 @@ export let customAlphabet = (alphabet, size = 21) => + customRandom(alphabet, size, random) + + export let nanoid = (size = 21) => { +- // `-=` convert `size` to number to prevent `valueOf` abusing +- fillPool((size -= 0)) ++ // `|=` convert `size` to number to prevent `valueOf` abusing ++ fillPool((size |= 0)) + let id = '' + // We are reading directly from the random pool to avoid creating new array + for (let i = poolOffset - size; i < poolOffset; i++) { +diff --git a/nanoid/non-secure/index.js b/nanoid/non-secure/index.js +index 78e522f..3c3e43b 100644 +--- a/nanoid/non-secure/index.js ++++ b/nanoid/non-secure/index.js +@@ -11,7 +11,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + return (size = defaultSize) => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let i = size ++ let i = size | 0 + while (i--) { + // `| 0` is more compact and faster than `Math.floor()`. + id += alphabet[(Math.random() * alphabet.length) | 0] +@@ -23,7 +23,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + export let nanoid = (size = 21) => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let i = size ++ let i = size | 0 + while (i--) { + // `| 0` is more compact and faster than `Math.floor()`. + id += urlAlphabet[(Math.random() * 64) | 0] diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/series node-postcss-8.4.20+~cs8.0.23/debian/patches/series --- node-postcss-8.4.20+~cs8.0.23/debian/patches/series 2022-07-04 08:54:19.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/patches/series 2024-12-26 21:13:18.000000000 +0000 @@ -1 +1,3 @@ nanoid-commonjs.patch +CVE-2023-44270.patch +CVE-2024-55565.patchAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
- To: 1091460-done@bugs.debian.org
- Subject: Close 1091460
- From: jmw@debian.org
- Date: Sat, 15 Mar 2025 09:44:44 +0000
- Message-id: <E1ttO4S-005KlS-JY@coccia.debian.org>
Version: 12.10 This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---