XPost: linux.debian.devel.release

Control: tags -1 + confirmed

On Thu, 2024-12-26 at 21:38 +0000, Bastien Roucariès wrote:

Fix CVE-2023-44270 (Closes: #1053282)
    The vulnerability affects linters
    using PostCSS to parse external untrusted CSS.
    An attacker can prepare CSS in such a way that it will
    contains parts parsed by PostCSS as a CSS comment.
    After processing by PostCSS, it will be included in
    the PostCSS output in CSS nodes (rules, properties)
    despite being included in a comment.
* Fix CVE-2024-55565:
    nanoid (aka Nano ID) a subcomponent of this package
    mishandles non-integer values that could lead to DoS
    by infinite loop.

Please go ahead.

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release

Hi Bastian,

Just a small remark below:

On Thu, Dec 26, 2024 at 09:38:26PM +0000, Bastien RoucariΦs wrote:

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-postcss@packages.debian.org
Control: affects -1 + src:node-postcss
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fix CVE-2023-44270 (Closes: #1053282)
The vulnerability affects linters
using PostCSS to parse external untrusted CSS.
An attacker can prepare CSS in such a way that it will
contains parts parsed by PostCSS as a CSS comment.
After processing by PostCSS, it will be included in
the PostCSS output in CSS nodes (rules, properties)
despite being included in a comment.
* Fix CVE-2024-55565:
nanoid (aka Nano ID) a subcomponent of this package
mishandles non-integer values that could lead to DoS
by infinite loop.

[ Impact ]
Security bug opened

[ Tests ]
Testsuite run

[ Risks ]
low code is pretty straighforward

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Team upload

diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
--- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000
@@ -1,3 +1,21 @@
+node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium

This should actually target bookworm, not bookworm-security for the
point release update.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel.release
To: carnil@debian.org (Salvatore Bonaccorso)

This is a multi-part message in MIME format.

--nextPart2098702.x2cBvIL7Yq
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Le vendredi 27 décembre 2024, 15:48:30 UTC Salvatore Bonaccorso a écrit :

Hi Bastian,

Just a small remark below:

On Thu, Dec 26, 2024 at 09:38:26PM +0000, Bastien Roucariès wrote:

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-postcss@packages.debian.org
Control: affects -1 + src:node-postcss
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Fix CVE-2023-44270 (Closes: #1053282)
The vulnerability affects linters
using PostCSS to parse external untrusted CSS.
An attacker can prepare CSS in such a way that it will
contains parts parsed by PostCSS as a CSS comment.
After processing by PostCSS, it will be included in
the PostCSS output in CSS nodes (rules, properties)
despite being included in a comment.
* Fix CVE-2024-55565:
nanoid (aka Nano ID) a subcomponent of this package
mishandles non-integer values that could lead to DoS
by infinite loop.

[ Impact ]
Security bug opened

[ Tests ]
Testsuite run

[ Risks ]
low code is pretty straighforward

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Team upload

diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
--- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000
@@ -1,3 +1,21 @@
+node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium

This should actually target bookworm, not bookworm-security for the
point release update.

Fixed thanks

Regards,
Salvatore

--nextPart2098702.x2cBvIL7Yq
Content-Disposition: attachment; filename="deb12u1.debdiff" Content-Transfer-Encoding: quoted-printable
Content-Type: text/x-patch; charset="x-UTF_8J"; name="deb12u1.debdiff"

diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
--- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000
+++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-27 20:49:18.000000000 +0000
@@ -1,3 +1,21 @@
+node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Fix CVE-2023-44270 (Closes: #1053282)
+ The vulnerability affects linters
+ using PostCSS to parse external untrusted CSS.
+ An attacker can prepare CSS in such a way that it will
+ contains parts parsed by PostCSS as a CSS comment.
+ After processing by PostCSS, it will be included in
+ the PostCSS output in CSS nodes (rules, properties)
+ despite being included in a comment.
+ * Fix CVE-2024-55565:
+ nanoid (aka Nano ID) a subcomponent of this package
+ mishandles non-integer values that could lead to DoS
+ by infinite loop.
+
+ -- Bastien Roucariès <rouca@debian.org> Thu, 26 Dec 2024 21:13:18 +0000
+
node-postcss (8.4.20+~cs8.0.23-1) unstable; urgency=medium

* Team up