Debian Bug report logs -
#873034
CVE-2017-12962 CVE-2017-12963 CVE-2017-12964
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 23 Aug 2017 20:54:02 UTC
Severity: important
Tags: security
Done: Jonas Smedegaard <jonas@jones.dk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#873034; Package src:libsass.
(Wed, 23 Aug 2017 20:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Wed, 23 Aug 2017 20:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsass
Severity: important
Tags: security
Please see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12964
Cheers,
Moritz
Reply sent
to 873034@bugs.debian.org:
You have taken responsibility.
(Mon, 11 Mar 2019 12:36:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Mar 2019 12:36:04 GMT) (full text, mbox, link).
Message #10 received at 873034-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tags -1 unreproducible
Quoting Moritz Muehlenhoff (2017-08-23 22:51:57)
> Please see:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12962
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12963
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12964
None of above seems to affects Debian released versions of libsass.
CVE-2017-12962 hints that (at least) version 3.4.5 is affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1482331 indicates that the
bug should be reproducible on Debian systems using these commands:
apt install sassc wget ca-certificates unrar
wget https://bugzilla.redhat.com/attachment.cgi?id=1314521
unrar x attachment.cgi?id=1314521
sassc POC7
On a stretch+non-free chroot with libsass1 3.4.3-1 and sassc 3.4.2-1,
last command above results in this non-segfault error:
Internal Error: Invalid UTF-8
On a buster+non-free chroot with libsass1 3.5.5-2 and sassc 3.5.0-1,
last command above results in this non-segfault error:
Internal Error: Invalid UTF-8
CVE-2017-12963 hints that (at least) version 3.4.5 is affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1482335 indicates that the
bug should be reproducible on Debian systems using these commands:
apt install sassc wget ca-certificates
wget https://bugzilla.redhat.com/attachment.cgi?id=1314525
sassc attachment.cgi\?id\=1314525
On a stretch chroot with libsass1 3.4.3-1 and sassc 3.4.2-1, last
command above results in this non-segfault error:
Error: Undefined operation: "746666666666646691131686912 mod %".
on line 1 of /attachment.cgi?id=1314525
>> $I:K66666466+KKKOKO6=746666666666646666666666466%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-------------^
On a buster chroot with libsass1 3.5.5-2 and sassc 3.5.0-1, last command
above results in this non-segfault error:
Error: Invalid UTF-8 sequence
on line 1 of /attachment.cgi?id=1314525
>> 666666666466+KKKOKO=7+66+KKKOKO=7+666666QK�6666466+K666666QK�6666466+KKKOKO6
------------------------------------------^
CVE-2017-12964 hints that (at least) version 3.4.5 is affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1482397 indicates that the
bug should be reproducible on Debian systems using these commands:
apt install sassc wget ca-certificates unrar
wget https://bugzilla.redhat.com/attachment.cgi?id=1314586
unrar x attachment.cgi\?id\=1314586
sassc POC9
On a stretch+non-free chroot with libsass1 3.4.3-1 and sassc 3.4.2-1,
last command above results in this non-segfault error:
Error: Undefined operation: "746666666666646691131686912 mod %".
on line 1 of POC9
>> $I:K66666466+KKKOKO6=746666666666646666666666466%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-------------^
On a buster+non-free chroot with libsass1 3.5.5-2 and sassc 3.5.0-1,
last command above results in this non-segfault error:
Error: Invalid UTF-8 sequence
on line 1 of /POC9
>> 666666666466+KKKOKO=7+66+KKKOKO=7+666666QK�6666466+K666666QK�6666466+KKKOKO6
------------------------------------------^
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Apr 2019 07:27:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:58:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon