FS#54923 - [libsass] denial of service (CVE-2017-11608,11605,1555,11554)
Attached to Project:
Community Packages
Opened by Pablo Lezaeta (Jristz) - Tuesday, 25 July 2017, 06:10 GMT
Last edited by freswa (frederik) - Thursday, 10 September 2020, 15:31 GMT
Opened by Pablo Lezaeta (Jristz) - Tuesday, 25 July 2017, 06:10 GMT
Last edited by freswa (frederik) - Thursday, 10 September 2020, 15:31 GMT
|
Details
Summary
======= The package libsass is vulnerable to denial of service via CVE-2017-11608, CVE-2017-11605, CVE-2017-11555 and CVE-2017-11554. Guidance ======== Most of them are DoS remotely usable, but witha "high" severity; at writting time there not a patch in any of the bugtrackers but there is some work on the github official page. All bugs has been reported to upstream github page and in most cases the link is available on the Refecensed links. References ========== https://security.archlinux.org/AVG-359 https://bugzilla.redhat.com/show_bug.cgi?id=1474276 https://bugzilla.redhat.com/show_bug.cgi?id=1474019 https://bugzilla.redhat.com/show_bug.cgi?id=1471780 https://github.com/sass/libsass/issues/2445 https://bugzilla.redhat.com/show_bug.cgi?id=1471782 |
This task depends upon
Closed by freswa (frederik)
Thursday, 10 September 2020, 15:31 GMT
Reason for closing: Fixed
Additional comments about closing: libsass 3.4.7-1
Thursday, 10 September 2020, 15:31 GMT
Reason for closing: Fixed
Additional comments about closing: libsass 3.4.7-1
CVE-2017-11608
https://bugzilla.redhat.com/show_bug.cgi?id=1474276 has POC
https://security-tracker.debian.org/tracker/CVE-2017-11608 attributes the fix to https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b which was first included in 3.4.6.
Looks to be https://github.com/sass/libsass/commit/c22721d0be97b2b8b2833a8b14f97d51ab7d8cf4 in 3.5-stable and master branches including current release 3.6.4.
Confirmed fixed by 648f763ede97f9a2c2c843a0a18ac18bbde3507b by testing.
CVE-2017-11605
https://bugzilla.redhat.com/show_bug.cgi?id=1474019 has POC
https://github.com/sass/libsass/issues/2682 upstream does not know status.
Reverse git bisection between 3.6.5 and 3.6.6 using the POC and ASAN leads to as the fix 648f763ede97f9a2c2c843a0a18ac18bbde3507b same commit as for CVE-2017-11608.
CVE-2017-11555
https://bugzilla.redhat.com/show_bug.cgi?id=1471782 has POC
https://security-tracker.debian.org/tracker/CVE-2017-11555 attrbutes fix to https://github.com/sass/libsass/commit/946ef4995bee1b19de581b69850e1eb841c06b12 which was first included in 3.5.0.
Looks to be https://github.com/sass/libsass/commit/a3c3a76beea0f6adbba6659258c16caa52f42dfa which was first included in 3.4.6.
Confirmed fixed by a3c3a76beea0f6adbba6659258c16caa52f42dfa by testing.
CVE-2017-11554
https://bugzilla.redhat.com/show_bug.cgi?id=1471780 has POC
https://github.com/sass/libsass/issues/2445
https://security-tracker.debian.org/tracker/CVE-2017-11554 attributes fix to https://github.com/sass/libsass/commit/7664114543757e932f5b1a2ff5295aa9b34f8623 which was first included in 3.5.0.
Looks to be https://github.com/sass/libsass/commit/6c8bbdcee9c77e02639cd88ef11d16df87be36f5 which was first included in 3.4.6.
Confirmed fixed by 6c8bbdcee9c77e02639cd88ef11d16df87be36f5 by testing.