Bug 1217328

Summary: VUL-0: CVE-2023-26364: cockpit-agama: css-tools: improper input validation during CSS parsing causes denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Ladislav Slezák <lslezak>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team, yast2-maintainers
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/385567/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1217322    
Bug Blocks:    

Description Carlos López 2023-11-20 09:10:46 UTC 
+++ This bug was initially created as a clone of Bug #1217322 +++

@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input
Validation vulnerability that could result in a minor denial of service while
attempting to parse CSS. Exploitation of this issue does not require user
interaction or privileges.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26364
Comment 1 Carlos López 2023-11-20 09:11:23 UTC 
- openSUSE:Factory/cockpit-agama embeds @adobe/css-tools (v4.3.1)
- SUSE:ALP:Source:Standard:1.0/cockpit-agama embeds @adobe/css-tools (v4.3.1)
Comment 2 Ladislav Slezák 2023-11-20 16:16:02 UTC 
"@adobe/css-tools version 4.3.0 and earlier ..."

As mentioned in the previous comment we already use 4.3.1 which should be OK. And there is nothing to upgrade to, the 4.3.1 is still the latest version released (see https://www.npmjs.com/package/@adobe/css-tools)

If I haven't overlooked something then this bug is not valid, I'm closing it as INVALID.

Note: we do not use that library directly, it is pulled in by @testing-library/jest-dom dependency which is only used for running the unit tests. That means this library is never used in production.