Debian Bug report logs -
#900182
libsass: CVE-2018-11499: heap use-after-free
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#900182; Package src:libsass.
(Sun, 27 May 2018 08:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Sun, 27 May 2018 08:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libsass
Version: 3.4.8-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libsass.
CVE-2018-11499[0]:
| A use-after-free vulnerability exists in handle_error() in
| sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be
| leveraged to cause a denial of service (application crash) or possibly
| unspecified other impact.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
[1] https://github.com/sass/libsass/issues/2643
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#900182; Package src:libsass.
(Mon, 11 Mar 2019 11:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonas Smedegaard <jonas@jones.dk>:
Extra info received and forwarded to list. Copy sent to Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Mon, 11 Mar 2019 11:45:03 GMT) (full text, mbox, link).
Message #10 received at 900182@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: forwarded -1 https://github.com/sass/libsass/issues/2643
control: tags -1 patch
Quoting Salvatore Bonaccorso (2018-05-27 10:50:20)
> The following vulnerability was published for libsass.
>
> CVE-2018-11499[0]:
> | A use-after-free vulnerability exists in handle_error() in
> | sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be
> | leveraged to cause a denial of service (application crash) or possibly
> | unspecified other impact.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-11499
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
> [1] https://github.com/sass/libsass/issues/2643
This seems to be upstream fix:
https://github.com/sass/libsass/pull/2755/files/e81b722
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from Jonas Smedegaard <jonas@jones.dk>
to 900182-submit@bugs.debian.org.
(Mon, 11 Mar 2019 11:45:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 14 Mar 2019 17:45:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>:
Bug#900182; Package src:libsass.
(Tue, 07 May 2019 08:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Xavier <yadd@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>.
(Tue, 07 May 2019 08:42:06 GMT) (full text, mbox, link).
Message #21 received at 900182@bugs.debian.org (full text, mbox, reply):
Hi all,
I pushed an MR[1] to fix this CVE tagged as "high" and also
CVE-2018-19827 (medium), CVE-2019-6283 (low), CVE-2019-6284 (low) and
CVE-2019-6286 (low)
Cheers,
Xavier
[1]: https://salsa.debian.org/sass-team/libsass/merge_requests/1
Reply sent
to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility.
(Tue, 21 May 2019 12:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 21 May 2019 12:06:04 GMT) (full text, mbox, link).
Message #26 received at 900182-close@bugs.debian.org (full text, mbox, reply):
Source: libsass
Source-Version: 3.5.5-3
We believe that the bug you reported is fixed in the latest version of
libsass, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900182@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated libsass package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 May 2019 13:32:29 +0200
Source: libsass
Architecture: source
Version: 3.5.5-3
Distribution: unstable
Urgency: high
Maintainer: Debian Sass team <pkg-sass-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Closes: 900182
Changes:
libsass (3.5.5-3) unstable; urgency=high
.
* Add patches cherry-picked upstream
to fix heap-buffer-overflow and heap-use-after-free security bugs.
Thanks to Xavier Guimard. Closes: Bug#900182.
CVE-2018-11499 CVE-2018-19827 CVE-2019-6283 CVE-2019-6284 CVE-2019-6286.
* Set urgency=high due to security bugfixes.
Checksums-Sha1:
582f6816b6d69ab322c24310b8d560316b734ddb 2142 libsass_3.5.5-3.dsc
5551d557835febb2cef26aa54a690ebcc7a80ea9 8996 libsass_3.5.5-3.debian.tar.xz
3cc8f01f537d560cf9fe37995aa3f94ea299eb31 6283 libsass_3.5.5-3_amd64.buildinfo
Checksums-Sha256:
9474eefcdfd0c845f2fdf96bf788aecd1be78751de4886fa793b394a38793256 2142 libsass_3.5.5-3.dsc
bdcb15c5a97a262fb729e1668de1d505fa934fc9be74c06eb465fd6ed2f7c565 8996 libsass_3.5.5-3.debian.tar.xz
949a45785cc2ab1a572e96ebba9ec34e32ae9c771a49a9fe968eb6497417bd49 6283 libsass_3.5.5-3_amd64.buildinfo
Files:
8fc8305036252929bfc4efc8f1f63eac 2142 libs optional libsass_3.5.5-3.dsc
35970b647627ca6bea42f36fb47f2f4a 8996 libs optional libsass_3.5.5-3.debian.tar.xz
22e268275ce4ab08020a00ecd6d6ab87 6283 libs optional libsass_3.5.5-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlzj5QkACgkQLHwxRsGg
ASFGtRAAjLyeoVH/eUkPyW6+wihRGvbVRK36uJPJdbWFeMB0WDyW8X2Vb1l6LzkR
jJ2FJpJnG5Fx/Qpu5XRcrrIDYRhRSewc5ZH0ZYNoAnKkN9130ngWs9KT1MWzHAyL
0+tvCgpWSh59VfjFbIWi18Oe+hjwZfImucAF4Y9tq+5Ihrs0r9Wp3P9DjBtQLsjx
uN8uWF4gz5tq8QYmXnceg6cxwY7uTj/3KxMyVlrtE/Dn17EeEqwooiGJKdvWiVWF
oorADeeTk/ktOK6RW4jXxUIzyoxSXYPFlf9g7xDUC5K2DQo2oynp6+kR60DYaX9u
xfYhbo53vMxQBnAJTHYRvZC24FjEnRLObuRqH7awHH4AtoRyZt5OI7ElbYd0Exgm
R6O7No57kD0lm46DIvydPO+oIocIQMFlLECvIQ/9/mXOBV8EjIoF6LY+PXY34ojT
4f9E/nToqTdp+3044VB322X5lPaI2J2E5YOoXHgnTBCb/XFRnvd9BrU3fiYU3EIW
EKo9UxSXpPE8cv/RwniNSWW3GxjXW+1kWeBdlfxyrTIW+limIcYa3+ftC9bJMQIu
ejjPj9tYVbjYYt9Ybo63wovFUSL6VRqBbH7vgKRqrSsJ6RIajovnm79CgjhKF08d
lsOWyX3DV7tXlGoFhQxEzZrO9kjjl2DGz45eE7S+VgvMp1XB+Pk=
=tI3D
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:16:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon