libsass 3.6.3 was an upstream security release. We currently have 3.6.4 in the tree, but it is masked. However the bug referenced in the mask is closed (#705682), not sure what the status there is exactly...
The bug that masked 3.6.3 is also present in 3.6.4, I tested this when I bumped from 3.6.3 to 3.6.4. See also: https://github.com/gentoo/gentoo/pull/15596 Hopefully it will be fixed in 3.6.5
Thanks Hanno and Andrew. I assume these are the relevant commits: * https://github.com/sass/libsass/commit/8bd60936b51c9944ae8dedf4ea840abb1cc3994c (Fix some null pointer access crashes) * https://github.com/sass/libsass/commit/ad289a93194f2f02c89256cfb07704c729cf9809 (Fix an interesting memory handling edge case) * https://github.com/sass/libsass/commit/1b9d52d98c990cebb2fa74fc02a483fa370e4e14 (Fix memory leak in Sass::Eval::operator()(Sass::String_Schema*)) * https://github.com/sass/libsass/commit/16f76e2cd6cebf0a31f579a40e635c309109e4db (Fix memory leak in Parser::parse_media_query) * https://github.com/sass/libsass/commit/bf6ccae23b663902847576bf2a98838ef5510168 (Fix stack-overflow in Binary_Expression) * https://github.com/sass/libsass/commit/7a21c79e321927363a153dc5d7e9c492365faf9b (Fix heap-buffer-overflow in re_linebreak) * https://github.com/sass/libsass/commit/cbf4cb89e66124d69f906862f3bd2a379c00b157 (Fix out of boundary vector access) * https://github.com/sass/libsass/commit/a5226f462a24a63280a7e0eb38ec8b5e4c6b3a50 (Fix nullptr access on media query without type) * https://github.com/sass/libsass/commit/4c83fdb0fe90432cc9b778d816ffd6859e34ef2d (Fix out of boundary vector access)
The memory issue that caused the masking of 3.6.3 and 3.6.4 has been fixed in 3.6.5 (added today). 3.6.4 has been removed, and the mask has been lifted. As soon as 3.6.5 is stable we can remove 3.6.1 which should resolve this security issue.
Thanks! For future reference there's nothing wrong with handling stabilization directly in security bugs. Seems like the patches Sam linked were all in 3.6.4, so putting that in summary as earliest fixed version security-wise.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3eff25597cd163b05a9ca186f52e4f71387026bd commit 3eff25597cd163b05a9ca186f52e4f71387026bd Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2021-05-22 15:30:36 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2021-05-22 15:30:36 +0000 dev-libs/libsass: drop 3.6.1 Bug: https://bugs.gentoo.org/742491 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> dev-libs/libsass/Manifest | 1 - dev-libs/libsass/libsass-3.6.1.ebuild | 53 ----------------------------------- 2 files changed, 54 deletions(-)
All affected versions have been removed.
Thank you!
Package list is empty or all packages have requested keywords.