libsass 3.6.3 was an upstream security release.
We currently have 3.6.4 in the tree, but it is masked. However the bug referenced in the mask is closed (#705682), not sure what the status there is exactly...
The bug that masked 3.6.3 is also present in 3.6.4, I tested this when I bumped from 3.6.3 to 3.6.4. See also: https://github.com/gentoo/gentoo/pull/15596
Hopefully it will be fixed in 3.6.5
Thanks Hanno and Andrew.
I assume these are the relevant commits:
* https://github.com/sass/libsass/commit/8bd60936b51c9944ae8dedf4ea840abb1cc3994c (Fix some null pointer access crashes)
* https://github.com/sass/libsass/commit/ad289a93194f2f02c89256cfb07704c729cf9809 (Fix an interesting memory handling edge case)
* https://github.com/sass/libsass/commit/1b9d52d98c990cebb2fa74fc02a483fa370e4e14 (Fix memory leak in Sass::Eval::operator()(Sass::String_Schema*))
* https://github.com/sass/libsass/commit/16f76e2cd6cebf0a31f579a40e635c309109e4db (Fix memory leak in Parser::parse_media_query)
* https://github.com/sass/libsass/commit/bf6ccae23b663902847576bf2a98838ef5510168 (Fix stack-overflow in Binary_Expression)
* https://github.com/sass/libsass/commit/7a21c79e321927363a153dc5d7e9c492365faf9b (Fix heap-buffer-overflow in re_linebreak)
* https://github.com/sass/libsass/commit/cbf4cb89e66124d69f906862f3bd2a379c00b157 (Fix out of boundary vector access)
* https://github.com/sass/libsass/commit/a5226f462a24a63280a7e0eb38ec8b5e4c6b3a50 (Fix nullptr access on media query without type)
* https://github.com/sass/libsass/commit/4c83fdb0fe90432cc9b778d816ffd6859e34ef2d (Fix out of boundary vector access)