Debian Bug report logs -
#870186
libsass: CVE-2017-11608
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 30 Jul 2017 19:57:07 UTC
Severity: important
Tags: security, upstream
Found in version libsass/3.4.3-1
Fixed in version libsass/3.4.6-1
Done: Jonas Smedegaard <jonas@jones.dk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#870186; Package src:libsass.
(Sun, 30 Jul 2017 19:57:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Sun, 30 Jul 2017 19:57:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsass
Version: 3.4.3-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for libsass.
CVE-2017-11608[0]:
| There is a heap-based buffer over-read in the
| Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A
| crafted input will lead to a remote denial of service attack.
Can you please double-check this report and possibly report it
upstream.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11608
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11608
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1474276
Regards,
Salvatore
Reply sent
to 870186@bugs.debian.org:
You have taken responsibility.
(Mon, 11 Mar 2019 12:45:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 11 Mar 2019 12:45:03 GMT) (full text, mbox, link).
Message #10 received at 870186-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tags -1 unreproducible
Quoting Salvatore Bonaccorso (2017-07-30 21:55:27)
> the following vulnerability was published for libsass.
>
> CVE-2017-11608[0]:
> | There is a heap-based buffer over-read in the
> | Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A
> | crafted input will lead to a remote denial of service attack.
>
> Can you please double-check this report and possibly report it
> upstream.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-11608
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11608
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1474276
This bug does not affect any release of libsass in Debian.
POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
Internal Error: Invalid UTF-8
POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
Error: Invalid UTF-8 sequence
on line 1 of /attachment.cgi?id=1303540
>> "�d\
-^
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#870186; Package src:libsass.
(Mon, 11 Mar 2019 12:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <jonas@jones.dk>:
Extra info received and forwarded to list. Copy sent to Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Mon, 11 Mar 2019 12:51:03 GMT) (full text, mbox, link).
Message #15 received at 870186@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Jonas Smedegaard (2019-03-11 13:43:41)
> POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
>
> Error: Invalid UTF-8 sequence
> on line 1 of /attachment.cgi?id=1303540
> >> "�d\
> -^
Correction: Aboce was with libsass1 3.5.5-2 and sassc 3.5.0-1.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#870186; Package src:libsass.
(Mon, 11 Mar 2019 16:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Mon, 11 Mar 2019 16:15:06 GMT) (full text, mbox, link).
Message #20 received at 870186@bugs.debian.org (full text, mbox, reply):
Control: fixed -1 3.4.6-1
Hi,
On Mon, Mar 11, 2019 at 01:49:36PM +0100, Jonas Smedegaard wrote:
> Quoting Jonas Smedegaard (2019-03-11 13:43:41)
> > POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
> >
> > Error: Invalid UTF-8 sequence
> > on line 1 of /attachment.cgi?id=1303540
> > >> "�d\
> > -^
>
> Correction: Aboce was with libsass1 3.5.5-2 and sassc 3.5.0-1.
Did you build with ASAN to verify?
The issue should be fixed with
https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b
which was in 3.4.6 (so indeed the issue does not affect anymore
sid/buster which included the above commit with the 3.4.6-1 upload).
Regards,
Salvatore
Marked as fixed in versions libsass/3.4.6-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 870186-submit@bugs.debian.org.
(Mon, 11 Mar 2019 16:15:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#870186; Package src:libsass.
(Mon, 11 Mar 2019 16:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Mon, 11 Mar 2019 16:27:03 GMT) (full text, mbox, link).
Message #27 received at 870186@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Contol: tags -1 - unreproducible
Hi,
Actually running under valgrind shows the invalid read of size 1 under
stretch. But the issue is fixed in the sid version already.
Regards,
Salvatore
[valgrind.log.xz (application/x-xz, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#870186; Package src:libsass.
(Mon, 11 Mar 2019 16:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <jonas@jones.dk>:
Extra info received and forwarded to list. Copy sent to Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Mon, 11 Mar 2019 16:51:06 GMT) (full text, mbox, link).
Message #32 received at 870186@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Salvatore Bonaccorso (2019-03-11 17:14:31)
> Control: fixed -1 3.4.6-1
>
> Hi,
>
> On Mon, Mar 11, 2019 at 01:49:36PM +0100, Jonas Smedegaard wrote:
> > Quoting Jonas Smedegaard (2019-03-11 13:43:41)
> > > POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
> > >
> > > Error: Invalid UTF-8 sequence
> > > on line 1 of /attachment.cgi?id=1303540
> > > >> "�d\
> > > -^
> >
> > Correction: Aboce was with libsass1 3.5.5-2 and sassc 3.5.0-1.
>
> Did you build with ASAN to verify?
>
> The issue should be fixed with
> https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b
> which was in 3.4.6 (so indeed the issue does not affect anymore
> sid/buster which included the above commit with the 3.4.6-1 upload).
No, I simply tested with official packaged code.
I have stopped working on the other security bugs against libsass,
because I realize I lack the needed skills. :-(
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Apr 2019 07:32:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:04:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon