Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 742491 (CVE-2019-18798) - dev-libs/libsass: heap-based buffer over-read before 3.6.3
Summary: dev-libs/libsass: heap-based buffer over-read before 3.6.3
Alias: CVE-2019-18798
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: ?? [ebuild]
Depends on:
Reported: 2020-09-14 12:34 UTC by Hanno Böck
Modified: 2020-09-15 05:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2020-09-14 12:34:43 UTC
libsass 3.6.3 was an upstream security release.
We currently have 3.6.4 in the tree, but it is masked. However the bug referenced in the mask is closed (#705682), not sure what the status there is exactly...
Comment 1 Andrew Ammerlaan 2020-09-14 12:56:51 UTC
The bug that masked 3.6.3 is also present in 3.6.4, I tested this when I bumped from 3.6.3 to 3.6.4. See also:

Hopefully it will be fixed in 3.6.5
Comment 2 Sam James archtester gentoo-dev Security 2020-09-15 05:33:23 UTC
Thanks Hanno and Andrew.

I assume these are the relevant commits:
* (Fix some null pointer access crashes)
* (Fix an interesting memory handling edge case)
* (Fix memory leak in Sass::Eval::operator()(Sass::String_Schema*))
* (Fix memory leak in Parser::parse_media_query)
* (Fix stack-overflow in Binary_Expression)
* (Fix heap-buffer-overflow in re_linebreak)
* (Fix out of boundary vector access)
* (Fix nullptr access on media query without type)
* (Fix out of boundary vector access)