Bug 1217328 - VUL-0: CVE-2023-26364: cockpit-agama: css-tools: improper input validation during CSS parsing causes denial of service
Summary: VUL-0: CVE-2023-26364: cockpit-agama: css-tools: improper input validation du...
Status: RESOLVED INVALID
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Ladislav Slezák
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/385567/
Whiteboard:
Keywords:
Depends on: CVE-2023-26364
Blocks:
  Show dependency treegraph
 
Reported: 2023-11-20 09:10 UTC by Carlos López
Modified: 2023-11-20 16:16 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-11-20 09:10:46 UTC 
+++ This bug was initially created as a clone of Bug #1217322 +++

@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input
Validation vulnerability that could result in a minor denial of service while
attempting to parse CSS. Exploitation of this issue does not require user
interaction or privileges.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26364
Comment 1 Carlos López 2023-11-20 09:11:23 UTC 
- openSUSE:Factory/cockpit-agama embeds @adobe/css-tools (v4.3.1)
- SUSE:ALP:Source:Standard:1.0/cockpit-agama embeds @adobe/css-tools (v4.3.1)
Comment 2 Ladislav Slezák 2023-11-20 16:16:02 UTC 
"@adobe/css-tools version 4.3.0 and earlier ..."

As mentioned in the previous comment we already use 4.3.1 which should be OK. And there is nothing to upgrade to, the 4.3.1 is still the latest version released (see https://www.npmjs.com/package/@adobe/css-tools)

If I haven't overlooked something then this bug is not valid, I'm closing it as INVALID.

Note: we do not use that library directly, it is pulled in by @testing-library/jest-dom dependency which is only used for running the unit tests. That means this library is never used in production.