Description: "The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp)."
3.6.1 is marked as stable, so I've made a PR to remove the 3.5.5 version: https://github.com/gentoo/gentoo/pull/14847 If the QA bot doesn't find any broken dependencies, please go ahead and merge it. If my PR ends up breaking some dependencies, I'll have to think of another solution (perhaps just masking 3.5.5).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c84f7dff8e6a67bd4bc02b83119db11550990a2e commit c84f7dff8e6a67bd4bc02b83119db11550990a2e Author: Andrew Ammerlaan <andrewammerlaan@riseup.net> AuthorDate: 2020-03-06 13:28:02 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-03-06 15:55:35 +0000 dev-libs/libsass: remove old 3.5.5 3.5.5 has security issue, 3.6.1 is stable Bug: https://bugs.gentoo.org/711680 Package-Manager: Portage-2.3.92, Repoman-2.3.20 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@riseup.net> Closes: https://github.com/gentoo/gentoo/pull/14847 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/libsass/Manifest | 1 - dev-libs/libsass/libsass-3.5.5.ebuild | 54 ----------------------------------- 2 files changed, 55 deletions(-)
GLSA Vote: No! Repository is clean, all done.
CVE-2019-6286 (https://nvd.nist.gov/vuln/detail/CVE-2019-6286): In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693. CVE-2019-6284 (https://nvd.nist.gov/vuln/detail/CVE-2019-6284): In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp. CVE-2019-6283 (https://nvd.nist.gov/vuln/detail/CVE-2019-6283): In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp.
