Version in base suite: 8.4.20+~cs8.0.23-1 Base version: node-postcss_8.4.20+~cs8.0.23-1 Target version: node-postcss_8.4.20+~cs8.0.23-1+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-postcss/node-postcss_8.4.20+~cs8.0.23-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-postcss/node-postcss_8.4.20+~cs8.0.23-1+deb12u1.dsc changelog | 18 ++++ patches/CVE-2023-44270.patch | 42 ++++++++++ patches/CVE-2024-55565.patch | 177 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 239 insertions(+) diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog --- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000 @@ -1,3 +1,21 @@ +node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix CVE-2023-44270 (Closes: #1053282) + The vulnerability affects linters + using PostCSS to parse external untrusted CSS. + An attacker can prepare CSS in such a way that it will + contains parts parsed by PostCSS as a CSS comment. + After processing by PostCSS, it will be included in + the PostCSS output in CSS nodes (rules, properties) + despite being included in a comment. + * Fix CVE-2024-55565: + nanoid (aka Nano ID) a subcomponent of this package + mishandles non-integer values that could lead to DoS + by infinite loop. + + -- Bastien Roucariès Thu, 26 Dec 2024 21:13:18 +0000 + node-postcss (8.4.20+~cs8.0.23-1) unstable; urgency=medium * Team upload diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch --- node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2023-44270.patch 2024-12-26 21:13:18.000000000 +0000 @@ -0,0 +1,42 @@ +From: Andrey Sitnik +Date: Fri, 29 Sep 2023 00:07:58 +0200 +Subject: CVE-2023-44270 Fix carrier return parsing + +origin: https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053282 +bug-github: https://github.com/github/advisory-database/issues/2820 +--- + lib/tokenize.js | 2 +- + test/parse.test.ts | 6 ++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/lib/tokenize.js b/lib/tokenize.js +index 8dac706..e5b0ad5 100644 +--- a/lib/tokenize.js ++++ b/lib/tokenize.js +@@ -22,7 +22,7 @@ const AT = '@'.charCodeAt(0) + + const RE_AT_END = /[\t\n\f\r "#'()/;[\\\]{}]/g + const RE_WORD_END = /[\t\n\f\r !"#'():;@[\\\]{}]|\/(?=\*)/g +-const RE_BAD_BRACKET = /.[\n"'(/\\]/ ++const RE_BAD_BRACKET = /.[\r\n"'(/\\]/ + const RE_HEX_ESCAPE = /[\da-f]/i + + module.exports = function tokenizer(input, options = {}) { +diff --git a/test/parse.test.ts b/test/parse.test.ts +index 7513ebf..8573299 100755 +--- a/test/parse.test.ts ++++ b/test/parse.test.ts +@@ -34,6 +34,12 @@ test('should has false at hasBOM property', () => { + is(css.first?.source?.input.hasBOM, false) + }) + ++test('parses carrier return', () => { ++ throws(() => { ++ parse('@font-face{ font:(\r/*);} body { a: "a*/)} a{}"}') ++ }, /:1:46: Unclosed string/) ++}) ++ + test('saves source file', () => { + let css = parse('a {}', { from: 'a.css' }) + is(css.first?.source?.input.css, 'a {}') diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch --- node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/patches/CVE-2024-55565.patch 2024-12-26 21:13:18.000000000 +0000 @@ -0,0 +1,177 @@ +From: Kris Reeves +Date: Tue, 26 Nov 2024 03:31:28 -0800 +Subject: CVE-2024-55565 Fix pool pollution, infinite loop (#510) + +* Fix pool pollution, infinite loop + +When nanoid is called with a fractional value, there were a number +of undesirable effects: +- in browser and non-secure, the code infinite loops on `while (size--)` +- in node, the value of poolOffset becomes fractional, causing calls to + nanoid to return zeroes until the pool is next filled: when `i` is + initialized to `poolOffset`, `pool[i] & 63` -> `undefined & 63` -> `0` +- if the first call in node is a fractional argument, the initial buffer + allocation fails with an error + +I chose `|0` to cast to a signed integer primarily because that has a +slightly better outcome in the third case above: if the first call is +negative (e.g. `nanoid(-1)`) then Node will throw an error for an +invalid Buffer size, rather than attempting to allocate a buffer of +size `2**32-1`. It's also more compact than `>>>0`, which would be +necessary to cast to an unsigned integer. I don't _think_ there is +a use case for generating ids longer than `2**31-1` :) + +The browser code is structured in such a way that casting `size` in +`customRandom` succinctly isn't readily feasible. I chose to cast it +at the line `let j = step | 0` since casting defaultSize would not +fix the infinite loop in all cases, and the other use of defaultSize +is to define the step length which is already shown to be fractional +and gets cast to an integer with `~` anyway. + +As for the `nanoid` function, `new Uint8Array(size)` ignores the +fractional part, and `size` doesn't get used further - the function +instead calls reduce over the typed array. + +In the Node/native async customAlphabet variant, I chose to convert +the `id.length === size` check to `id.length >= size`, which handles +the fractional case and avoids the infinite loop; `size` is not used +for anything else there. + +origin: backport, https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c +bug: https://github.com/ai/nanoid/pull/510 +--- + nanoid/async/index.browser.js | 4 ++-- + nanoid/async/index.js | 4 ++-- + nanoid/async/index.native.js | 4 ++-- + nanoid/index.browser.js | 2 +- + nanoid/index.js | 8 ++++---- + nanoid/non-secure/index.js | 4 ++-- + 6 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/nanoid/async/index.browser.js b/nanoid/async/index.browser.js +index 8e57003..c955dc9 100644 +--- a/nanoid/async/index.browser.js ++++ b/nanoid/async/index.browser.js +@@ -29,7 +29,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + while (true) { + let bytes = crypto.getRandomValues(new Uint8Array(step)) + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let i = step ++ let i = step | 0 + while (i--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[i] & mask] || '' +@@ -41,7 +41,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + + export let nanoid = async (size = 21) => { + let id = '' +- let bytes = crypto.getRandomValues(new Uint8Array(size)) ++ let bytes = crypto.getRandomValues(new Uint8Array((size |= 0))) + + // A compact alternative for `for (var i = 0; i < step; i++)`. + while (size--) { +diff --git a/nanoid/async/index.js b/nanoid/async/index.js +index 0602637..d25a4e6 100644 +--- a/nanoid/async/index.js ++++ b/nanoid/async/index.js +@@ -46,7 +46,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + while (i--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[i] & mask] || '' +- if (id.length === size) return id ++ if (id.length >= size) return id + } + /* c8 ignore next */ + return tick(id, size) +@@ -56,7 +56,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + } + + export let nanoid = (size = 21) => +- random(size).then(bytes => { ++ random((size |= 0)).then(bytes => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. + while (size--) { +diff --git a/nanoid/async/index.native.js b/nanoid/async/index.native.js +index b2fbeb4..d283e06 100644 +--- a/nanoid/async/index.native.js ++++ b/nanoid/async/index.native.js +@@ -31,7 +31,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + while (i--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[i] & mask] || '' +- if (id.length === size) return id ++ if (id.length >= size) return id + } + return tick(id, size) + }) +@@ -40,7 +40,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + } + + export let nanoid = (size = 21) => +- random(size).then(bytes => { ++ random((size |= 0)).then(bytes => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. + while (size--) { +diff --git a/nanoid/index.browser.js b/nanoid/index.browser.js +index 090a1a9..070555c 100644 +--- a/nanoid/index.browser.js ++++ b/nanoid/index.browser.js +@@ -34,7 +34,7 @@ export let customRandom = (alphabet, defaultSize, getRandom) => { + while (true) { + let bytes = getRandom(step) + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let j = step ++ let j = step | 0 + while (j--) { + // Adding `|| ''` refuses a random byte that exceeds the alphabet size. + id += alphabet[bytes[j] & mask] || '' +diff --git a/nanoid/index.js b/nanoid/index.js +index a7f828a..1d5ce30 100644 +--- a/nanoid/index.js ++++ b/nanoid/index.js +@@ -25,8 +25,8 @@ let fillPool = bytes => { + } + + export let random = bytes => { +- // `-=` convert `bytes` to number to prevent `valueOf` abusing +- fillPool((bytes -= 0)) ++ // `|=` convert `bytes` to number to prevent `valueOf` abusing ++ fillPool((bytes |= 0)) + return pool.subarray(poolOffset - bytes, poolOffset) + } + +@@ -69,8 +69,8 @@ export let customAlphabet = (alphabet, size = 21) => + customRandom(alphabet, size, random) + + export let nanoid = (size = 21) => { +- // `-=` convert `size` to number to prevent `valueOf` abusing +- fillPool((size -= 0)) ++ // `|=` convert `size` to number to prevent `valueOf` abusing ++ fillPool((size |= 0)) + let id = '' + // We are reading directly from the random pool to avoid creating new array + for (let i = poolOffset - size; i < poolOffset; i++) { +diff --git a/nanoid/non-secure/index.js b/nanoid/non-secure/index.js +index 78e522f..3c3e43b 100644 +--- a/nanoid/non-secure/index.js ++++ b/nanoid/non-secure/index.js +@@ -11,7 +11,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + return (size = defaultSize) => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let i = size ++ let i = size | 0 + while (i--) { + // `| 0` is more compact and faster than `Math.floor()`. + id += alphabet[(Math.random() * alphabet.length) | 0] +@@ -23,7 +23,7 @@ export let customAlphabet = (alphabet, defaultSize = 21) => { + export let nanoid = (size = 21) => { + let id = '' + // A compact alternative for `for (var i = 0; i < step; i++)`. +- let i = size ++ let i = size | 0 + while (i--) { + // `| 0` is more compact and faster than `Math.floor()`. + id += urlAlphabet[(Math.random() * 64) | 0] diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/patches/series node-postcss-8.4.20+~cs8.0.23/debian/patches/series --- node-postcss-8.4.20+~cs8.0.23/debian/patches/series 2022-07-04 08:54:19.000000000 +0000 +++ node-postcss-8.4.20+~cs8.0.23/debian/patches/series 2024-12-26 21:13:18.000000000 +0000 @@ -1 +1,3 @@ nanoid-commonjs.patch +CVE-2023-44270.patch +CVE-2024-55565.patch