Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#54923 - [libsass] denial of service (CVE-2017-11608,11605,1555,11554)

Attached to Project: Community Packages
Opened by Pablo Lezaeta (Jristz) - Tuesday, 25 July 2017, 06:10 GMT
Last edited by freswa (frederik) - Thursday, 10 September 2020, 15:31 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jerome Leclanche (Adys)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



The package libsass is vulnerable to denial of service via CVE-2017-11608, CVE-2017-11605, CVE-2017-11555 and CVE-2017-11554.


Most of them are DoS remotely usable, but witha "high" severity; at writting time there not a patch in any of the bugtrackers but there is some work on the github official page.

All bugs has been reported to upstream github page and in most cases the link is available on the Refecensed links.

This task depends upon

Closed by  freswa (frederik)
Thursday, 10 September 2020, 15:31 GMT
Reason for closing:  Fixed
Additional comments about closing:  libsass 3.4.7-1
Comment by Jerome Leclanche (Adys) - Wednesday, 26 July 2017, 00:47 GMT Comment by Ivy Foster (escondida) - Thursday, 10 October 2019, 23:32 GMT
Do we know for sure whether any of these are still open at this point?
Comment by loqs (loqs) - Thursday, 10 September 2020, 15:18 GMT
See attached PKGBUILDs used for testing. Testing command sassc POC (using preload to force correct lib load order)

CVE-2017-11608 has POC attributes the fix to which was first included in 3.4.6.
Looks to be in 3.5-stable and master branches including current release 3.6.4.
Confirmed fixed by 648f763ede97f9a2c2c843a0a18ac18bbde3507b by testing.

CVE-2017-11605 has POC upstream does not know status.
Reverse git bisection between 3.6.5 and 3.6.6 using the POC and ASAN leads to as the fix 648f763ede97f9a2c2c843a0a18ac18bbde3507b same commit as for CVE-2017-11608.

CVE-2017-11555 has POC attrbutes fix to which was first included in 3.5.0.
Looks to be which was first included in 3.4.6.
Confirmed fixed by a3c3a76beea0f6adbba6659258c16caa52f42dfa by testing.

CVE-2017-11554 has POC attributes fix to which was first included in 3.5.0.
Looks to be which was first included in 3.4.6.
Confirmed fixed by 6c8bbdcee9c77e02639cd88ef11d16df87be36f5 by testing.