Package: node-postcss | Debian Sources

Package: node-postcss / 8.4.20+~cs8.0.23-1+deb12u1

Metadata

Package	Version	Patches format
node-postcss	8.4.20+~cs8.0.23-1+deb12u1	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
nanoid commonjs.patch \| (download)	nanoid/package.json \| 9 7 + 2 - 0 ! 1 file changed, 7 insertions(+), 2 deletions(-)	export commonjs files for nanoid
CVE 2023 44270.patch \| (download)	lib/tokenize.js \| 2 1 + 1 - 0 ! test/parse.test.ts \| 6 6 + 0 - 0 ! 2 files changed, 7 insertions(+), 1 deletion(-)	cve-2023-44270 fix carrier return parsing
CVE 2024 55565.patch \| (download)	nanoid/async/index.browser.js \| 4 2 + 2 - 0 ! nanoid/async/index.js \| 4 2 + 2 - 0 ! nanoid/async/index.native.js \| 4 2 + 2 - 0 ! nanoid/index.browser.js \| 2 1 + 1 - 0 ! nanoid/index.js \| 8 4 + 4 - 0 ! nanoid/non-secure/index.js \| 4 2 + 2 - 0 ! 6 files changed, 13 insertions(+), 13 deletions(-)	cve-2024-55565 fix pool pollution, infinite loop (#510) * Fix pool pollution, infinite loop When nanoid is called with a fractional value, there were a number of undesirable effects: - in browser and non-secure, the code infinite loops on `while (size--)` - in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled: when `i` is initialized to `poolOffset`, `pool[i] & 63` -> `undefined & 63` -> `0` - if the first call in node is a fractional argument, the initial buffer allocation fails with an error I chose `\|0` to cast to a signed integer primarily because that has a slightly better outcome in the third case above: if the first call is negative (e.g. `nanoid(-1)`) then Node will throw an error for an invalid Buffer size, rather than attempting to allocate a buffer of size `232-1`. It's also more compact than `>>>0`, which would be necessary to cast to an unsigned integer. I don't _think_ there is a use case for generating ids longer than `231-1` :) The browser code is structured in such a way that casting `size` in `customRandom` succinctly isn't readily feasible. I chose to cast it at the line `let j = step \| 0` since casting defaultSize would not fix the infinite loop in all cases, and the other use of defaultSize is to define the step length which is already shown to be fractional and gets cast to an integer with `~` anyway. As for the `nanoid` function, `new Uint8Array(size)` ignores the fractional part, and `size` doesn't get used further - the function instead calls reduce over the typed array. In the Node/native async customAlphabet variant, I chose to convert the `id.length === size` check to `id.length >= size`, which handles the fractional case and avoids the infinite loop; `size` is not used for anything else there.

Patch

File delta

Description

nanoid commonjs.patch | (download)

nanoid/package.json | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 export commonjs files for nanoid

CVE 2023 44270.patch | (download)

lib/tokenize.js | 2 1 + 1 - 0 !
test/parse.test.ts | 6 6 + 0 - 0 !
2 files changed, 7 insertions(+), 1 deletion(-)

 cve-2023-44270 fix carrier return parsing

CVE 2024 55565.patch | (download)

 cve-2024-55565 fix pool pollution, infinite loop (#510)

* Fix pool pollution, infinite loop

When nanoid is called with a fractional value, there were a number
of undesirable effects:
- in browser and non-secure, the code infinite loops on `while (size--)`
- in node, the value of poolOffset becomes fractional, causing calls to
  nanoid to return zeroes until the pool is next filled: when `i` is
  initialized to `poolOffset`, `pool[i] & 63` -> `undefined & 63` -> `0`
- if the first call in node is a fractional argument, the initial buffer
  allocation fails with an error

I chose `|0` to cast to a signed integer primarily because that has a
slightly better outcome in the third case above: if the first call is
negative (e.g. `nanoid(-1)`) then Node will throw an error for an
invalid Buffer size, rather than attempting to allocate a buffer of
size `2**32-1`. It's also more compact than `>>>0`, which would be
necessary to cast to an unsigned integer. I don't _think_ there is
a use case for generating ids longer than `2**31-1` :)

The browser code is structured in such a way that casting `size` in
`customRandom` succinctly isn't readily feasible. I chose to cast it
at the line `let j = step | 0` since casting defaultSize would not
fix the infinite loop in all cases, and the other use of defaultSize
is to define the step length which is already shown to be fractional
and gets cast to an integer with `~` anyway.

As for the `nanoid` function, `new Uint8Array(size)` ignores the
fractional part, and `size` doesn't get used further - the function
instead calls reduce over the typed array.

In the Node/native async customAlphabet variant, I chose to convert
the `id.length === size` check to `id.length >= size`, which handles
the fractional case and avoids the infinite loop; `size` is not used
for anything else there.