Bug 2250364 (CVE-2023-26364)

Summary: CVE-2023-26364 css-tools: Improper Input Validation causes Denial of Service via Regular Expression
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, adupliak, alcohan, amctagga, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, cmah, darran.lofthouse, dkenigsb, dkreling, dosoudil, drosa, eaguilar, ebaron, epacific, fdeutsch, fjuma, gercan, gparvin, haoli, hkataria, istudens, ivassile, iweiss, jajackso, jcammara, jchui, jhardy, jhe, jkang, jkoehler, jmitchel, jneedle, jobarker, jolong, jpallich, kegrant, koliveir, kshier, ktsao, lgao, lphiri, mabashia, manissin, mnovotny, mosmerov, msochure, mstefank, msvehla, nboldt, njean, nwallace, oramraz, owatkins, pahickey, pbizzarr, pbraun, pesilva, pjindal, pmackay, psrna, rguimara, rhaigner, rjohnson, rstancel, saroy, sausingh, sfroberg, shvarugh, simaishi, smaestri, smcdonal, smullick, stcannon, stirabos, teagle, tfister, thason, thavo, tom.jenkinson, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: css-tools 4.3.1 Doc Type: ---
Doc Text:
A flaw was found in Adobe CSS Tools. An improper input validation could result in a minor denial of service while parsing a malicious CSS with the parse component. User interaction and privileges are not required to jeopardize an environment.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250366, 2250367, 2306484    
Bug Blocks: 2250363    

Description Patrick Del Bello 2023-11-17 21:58:50 UTC 
@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges.

https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg
Comment 2 errata-xmlrpc 2024-05-23 06:39:37 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
Comment 3 errata-xmlrpc 2024-06-13 11:38:25 UTC 
This issue has been addressed in the following products:

  Migration Toolkit for Runtimes 1 on RHEL 8

Via RHSA-2024:3919 https://access.redhat.com/errata/RHSA-2024:3919
Comment 4 errata-xmlrpc 2024-06-20 00:35:44 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2024:3989 https://access.redhat.com/errata/RHSA-2024:3989
Comment 5 errata-xmlrpc 2024-10-30 14:25:56 UTC 
This issue has been addressed in the following products:

  RHODF-4.17-RHEL-9

Via RHSA-2024:8676 https://access.redhat.com/errata/RHSA-2024:8676
Comment 6 errata-xmlrpc 2025-01-08 11:31:21 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 7 errata-xmlrpc 2025-01-09 11:28:11 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:0164 https://access.redhat.com/errata/RHSA-2025:0164
Comment 8 errata-xmlrpc 2025-01-15 01:20:05 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:0323 https://access.redhat.com/errata/RHSA-2025:0323