Summary: | <dev-libs/libsass-3.6.4: multiple vulnerabilities (CVE-2019-18798) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | andrewammerlaan, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://nvd.nist.gov/vuln/detail/CVE-2019-18798 | ||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 791337 | ||
Bug Blocks: |
Description
Hanno Böck
2020-09-14 12:34:43 UTC
The bug that masked 3.6.3 is also present in 3.6.4, I tested this when I bumped from 3.6.3 to 3.6.4. See also: https://github.com/gentoo/gentoo/pull/15596 Hopefully it will be fixed in 3.6.5 Thanks Hanno and Andrew. I assume these are the relevant commits: * https://github.com/sass/libsass/commit/8bd60936b51c9944ae8dedf4ea840abb1cc3994c (Fix some null pointer access crashes) * https://github.com/sass/libsass/commit/ad289a93194f2f02c89256cfb07704c729cf9809 (Fix an interesting memory handling edge case) * https://github.com/sass/libsass/commit/1b9d52d98c990cebb2fa74fc02a483fa370e4e14 (Fix memory leak in Sass::Eval::operator()(Sass::String_Schema*)) * https://github.com/sass/libsass/commit/16f76e2cd6cebf0a31f579a40e635c309109e4db (Fix memory leak in Parser::parse_media_query) * https://github.com/sass/libsass/commit/bf6ccae23b663902847576bf2a98838ef5510168 (Fix stack-overflow in Binary_Expression) * https://github.com/sass/libsass/commit/7a21c79e321927363a153dc5d7e9c492365faf9b (Fix heap-buffer-overflow in re_linebreak) * https://github.com/sass/libsass/commit/cbf4cb89e66124d69f906862f3bd2a379c00b157 (Fix out of boundary vector access) * https://github.com/sass/libsass/commit/a5226f462a24a63280a7e0eb38ec8b5e4c6b3a50 (Fix nullptr access on media query without type) * https://github.com/sass/libsass/commit/4c83fdb0fe90432cc9b778d816ffd6859e34ef2d (Fix out of boundary vector access) The memory issue that caused the masking of 3.6.3 and 3.6.4 has been fixed in 3.6.5 (added today). 3.6.4 has been removed, and the mask has been lifted. As soon as 3.6.5 is stable we can remove 3.6.1 which should resolve this security issue. Thanks! For future reference there's nothing wrong with handling stabilization directly in security bugs. Seems like the patches Sam linked were all in 3.6.4, so putting that in summary as earliest fixed version security-wise. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3eff25597cd163b05a9ca186f52e4f71387026bd commit 3eff25597cd163b05a9ca186f52e4f71387026bd Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2021-05-22 15:30:36 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2021-05-22 15:30:36 +0000 dev-libs/libsass: drop 3.6.1 Bug: https://bugs.gentoo.org/742491 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> dev-libs/libsass/Manifest | 1 - dev-libs/libsass/libsass-3.6.1.ebuild | 53 ----------------------------------- 2 files changed, 54 deletions(-) All affected versions have been removed. Thank you! Package list is empty or all packages have requested keywords. |