Discussion:
Processed: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
Add Reply
Debian Bug Tracking System
2024-12-26 21:50:01 UTC
Reply
Permalink
affects -1 + src:node-postcss
Bug #1091460 [release.debian.org] bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
Added indication that 1091460 affects src:node-postcss
--
1091460: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091460
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2024-12-27 16:00:01 UTC
Reply
Permalink
Hi Bastian,
Package: release.debian.org
Severity: normal
Tags: bookworm
Control: affects -1 + src:node-postcss
Usertags: pu
[ Reason ]
Fix CVE-2023-44270 (Closes: #1053282)
The vulnerability affects linters
using PostCSS to parse external untrusted CSS.
An attacker can prepare CSS in such a way that it will
contains parts parsed by PostCSS as a CSS comment.
After processing by PostCSS, it will be included in
the PostCSS output in CSS nodes (rules, properties)
despite being included in a comment.
nanoid (aka Nano ID) a subcomponent of this package
mishandles non-integer values that could lead to DoS
by infinite loop.
[ Impact ]
Security bug opened
[ Tests ]
Testsuite run
[ Risks ]
low code is pretty straighforward
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
see above
[ Other info ]
Team upload
diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
--- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000
@@ -1,3 +1,21 @@
+node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium
This should actually target bookworm, not bookworm-security for the
point release update.

Regards,
Salvatore
Bastien Roucariès
2024-12-27 21:00:02 UTC
Reply
Permalink
Post by Salvatore Bonaccorso
Hi Bastian,
Package: release.debian.org
Severity: normal
Tags: bookworm
Control: affects -1 + src:node-postcss
Usertags: pu
[ Reason ]
Fix CVE-2023-44270 (Closes: #1053282)
The vulnerability affects linters
using PostCSS to parse external untrusted CSS.
An attacker can prepare CSS in such a way that it will
contains parts parsed by PostCSS as a CSS comment.
After processing by PostCSS, it will be included in
the PostCSS output in CSS nodes (rules, properties)
despite being included in a comment.
nanoid (aka Nano ID) a subcomponent of this package
mishandles non-integer values that could lead to DoS
by infinite loop.
[ Impact ]
Security bug opened
[ Tests ]
Testsuite run
[ Risks ]
low code is pretty straighforward
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
see above
[ Other info ]
Team upload
diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
--- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000
@@ -1,3 +1,21 @@
+node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium
This should actually target bookworm, not bookworm-security for the
point release update.
Fixed thanks
Post by Salvatore Bonaccorso
Regards,
Salvatore
Debian Bug Tracking System
2025-01-02 20:50:01 UTC
Reply
Permalink
tags -1 + confirmed
Bug #1091460 [release.debian.org] bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
Added tag(s) confirmed.
--
1091460: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091460
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Adam D. Barratt
2025-01-02 20:50:02 UTC
Reply
Permalink
Control: tags -1 + confirmed
Fix CVE-2023-44270 (Closes: #1053282)
    The vulnerability affects linters
    using PostCSS to parse external untrusted CSS.
    An attacker can prepare CSS in such a way that it will
    contains parts parsed by PostCSS as a CSS comment.
    After processing by PostCSS, it will be included in
    the PostCSS output in CSS nodes (rules, properties)
    despite being included in a comment.
    nanoid (aka Nano ID) a subcomponent of this package
    mishandles non-integer values that could lead to DoS
    by infinite loop.
Please go ahead.

Regards,

Adam
Jonathan Wiltshire
2025-01-15 14:10:01 UTC
Reply
Permalink
package release.debian.org
tags 1091460 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: node-postcss
Version: 8.4.20+~cs8.0.23-1+deb12u1

Explanation: fix mishandling of non-integer values leading to denial of service in nanoid [CVE-2024-55565]; fix parsing of external untrusted CSS [CVE-2023-44270]
Loading...