Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 742491 (CVE-2019-18798)

Summary: <dev-libs/libsass-3.6.4: multiple vulnerabilities (CVE-2019-18798)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: andrewammerlaan, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-18798
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 791337    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2020-09-14 12:34:43 UTC
libsass 3.6.3 was an upstream security release.
We currently have 3.6.4 in the tree, but it is masked. However the bug referenced in the mask is closed (#705682), not sure what the status there is exactly...
Comment 1 Andrew Ammerlaan gentoo-dev 2020-09-14 12:56:51 UTC
The bug that masked 3.6.3 is also present in 3.6.4, I tested this when I bumped from 3.6.3 to 3.6.4. See also: https://github.com/gentoo/gentoo/pull/15596

Hopefully it will be fixed in 3.6.5
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-15 05:33:23 UTC
Thanks Hanno and Andrew.

I assume these are the relevant commits:
* https://github.com/sass/libsass/commit/8bd60936b51c9944ae8dedf4ea840abb1cc3994c (Fix some null pointer access crashes)
* https://github.com/sass/libsass/commit/ad289a93194f2f02c89256cfb07704c729cf9809 (Fix an interesting memory handling edge case)
* https://github.com/sass/libsass/commit/1b9d52d98c990cebb2fa74fc02a483fa370e4e14 (Fix memory leak in Sass::Eval::operator()(Sass::String_Schema*))
* https://github.com/sass/libsass/commit/16f76e2cd6cebf0a31f579a40e635c309109e4db (Fix memory leak in Parser::parse_media_query)
* https://github.com/sass/libsass/commit/bf6ccae23b663902847576bf2a98838ef5510168 (Fix stack-overflow in Binary_Expression)
* https://github.com/sass/libsass/commit/7a21c79e321927363a153dc5d7e9c492365faf9b (Fix heap-buffer-overflow in re_linebreak)
* https://github.com/sass/libsass/commit/cbf4cb89e66124d69f906862f3bd2a379c00b157 (Fix out of boundary vector access)
* https://github.com/sass/libsass/commit/a5226f462a24a63280a7e0eb38ec8b5e4c6b3a50 (Fix nullptr access on media query without type)
* https://github.com/sass/libsass/commit/4c83fdb0fe90432cc9b778d816ffd6859e34ef2d (Fix out of boundary vector access)
Comment 3 Andrew Ammerlaan gentoo-dev 2021-05-21 14:10:35 UTC
The memory issue that caused the masking of 3.6.3 and 3.6.4 has been fixed in 3.6.5 (added today). 3.6.4 has been removed, and the mask has been lifted. As soon as 3.6.5 is stable we can remove 3.6.1 which should resolve this security issue.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-21 21:07:34 UTC
Thanks! For future reference there's nothing wrong with handling stabilization directly in security bugs.

Seems like the patches Sam linked were all in 3.6.4, so putting that in summary as earliest fixed version security-wise.
Comment 5 Larry the Git Cow gentoo-dev 2021-05-22 15:31:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3eff25597cd163b05a9ca186f52e4f71387026bd

commit 3eff25597cd163b05a9ca186f52e4f71387026bd
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2021-05-22 15:30:36 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2021-05-22 15:30:36 +0000

    dev-libs/libsass: drop 3.6.1
    
    Bug: https://bugs.gentoo.org/742491
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 dev-libs/libsass/Manifest             |  1 -
 dev-libs/libsass/libsass-3.6.1.ebuild | 53 -----------------------------------
 2 files changed, 54 deletions(-)
Comment 6 Andrew Ammerlaan gentoo-dev 2021-05-22 15:37:04 UTC
All affected versions have been removed.
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-22 18:05:22 UTC
Thank you!
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:25:56 UTC
Package list is empty or all packages have requested keywords.