Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 711680 (CVE-2018-20821, CVE-2019-6283, CVE-2019-6284, CVE-2019-6286)

Summary: <dev-libs/libsass-3.6.0: Multiple vulnerabilities (CVE-2018-0821,CVE-2019-{6283,6284,6286})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: nowa, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/sass/libsass/issues/2658
See Also: https://github.com/gentoo/gentoo/pull/14847
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-06 12:41:59 UTC 
Description:
"The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp)."
Comment 1 Nowa Ammerlaan gentoo-dev 2020-03-06 13:37:10 UTC 
3.6.1 is marked as stable, so I've made a PR to remove the 3.5.5 version:
https://github.com/gentoo/gentoo/pull/14847

If the QA bot doesn't find any broken dependencies, please go ahead and merge it.
If my PR ends up breaking some dependencies, I'll have to think of another solution (perhaps just masking 3.5.5).
Comment 2 Larry the Git Cow gentoo-dev 2020-03-06 15:55:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c84f7dff8e6a67bd4bc02b83119db11550990a2e

commit c84f7dff8e6a67bd4bc02b83119db11550990a2e
Author:     Andrew Ammerlaan <andrewammerlaan@riseup.net>
AuthorDate: 2020-03-06 13:28:02 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-03-06 15:55:35 +0000

    dev-libs/libsass: remove old 3.5.5
    
    3.5.5 has security issue, 3.6.1 is stable
    
    Bug: https://bugs.gentoo.org/711680
    Package-Manager: Portage-2.3.92, Repoman-2.3.20
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@riseup.net>
    Closes: https://github.com/gentoo/gentoo/pull/14847
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/libsass/Manifest             |  1 -
 dev-libs/libsass/libsass-3.5.5.ebuild | 54 -----------------------------------
 2 files changed, 55 deletions(-)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-08 00:34:05 UTC 
GLSA Vote: No!

Repository is clean, all done.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 01:16:18 UTC 
CVE-2019-6286 (https://nvd.nist.gov/vuln/detail/CVE-2019-6286):
  In LibSass 3.5.5, a heap-based buffer over-read exists in
  Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from
  Sass::Parser::parse_import(), a similar issue to CVE-2018-11693.

CVE-2019-6284 (https://nvd.nist.gov/vuln/detail/CVE-2019-6284):
  In LibSass 3.5.5, a heap-based buffer over-read exists in
  Sass::Prelexer::alternatives in prelexer.hpp.

CVE-2019-6283 (https://nvd.nist.gov/vuln/detail/CVE-2019-6283):
  In LibSass 3.5.5, a heap-based buffer over-read exists in
  Sass::Prelexer::parenthese_scope in prelexer.hpp.