Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#54923 - [libsass] denial of service (CVE-2017-11608,11605,1555,11554)

Attached to Project: Community Packages
Opened by Pablo Lezaeta (Jristz) - Tuesday, 25 July 2017, 06:10 GMT
Last edited by freswa (frederik) - Thursday, 10 September 2020, 15:31 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Jerome Leclanche (Adys)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary
=======

The package libsass is vulnerable to denial of service via CVE-2017-11608, CVE-2017-11605, CVE-2017-11555 and CVE-2017-11554.

Guidance
========

Most of them are DoS remotely usable, but witha "high" severity; at writting time there not a patch in any of the bugtrackers but there is some work on the github official page.

All bugs has been reported to upstream github page and in most cases the link is available on the Refecensed links.

References
==========

https://security.archlinux.org/AVG-359
https://bugzilla.redhat.com/show_bug.cgi?id=1474276
https://bugzilla.redhat.com/show_bug.cgi?id=1474019
https://bugzilla.redhat.com/show_bug.cgi?id=1471780
https://github.com/sass/libsass/issues/2445
https://bugzilla.redhat.com/show_bug.cgi?id=1471782
This task depends upon

Closed by  freswa (frederik)
Thursday, 10 September 2020, 15:31 GMT
Reason for closing:  Fixed
Additional comments about closing:  libsass 3.4.7-1
Comment by Jerome Leclanche (Adys) - Wednesday, 26 July 2017, 00:47 GMT Comment by Ivy Foster (escondida) - Thursday, 10 October 2019, 23:32 GMT
Do we know for sure whether any of these are still open at this point?
Comment by loqs (loqs) - Thursday, 10 September 2020, 15:18 GMT
See attached PKGBUILDs used for testing. Testing command LD_PRELOAD=libasan.so sassc POC (using preload to force correct lib load order)

CVE-2017-11608
https://bugzilla.redhat.com/show_bug.cgi?id=1474276 has POC
https://security-tracker.debian.org/tracker/CVE-2017-11608 attributes the fix to https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b which was first included in 3.4.6.
Looks to be https://github.com/sass/libsass/commit/c22721d0be97b2b8b2833a8b14f97d51ab7d8cf4 in 3.5-stable and master branches including current release 3.6.4.
Confirmed fixed by 648f763ede97f9a2c2c843a0a18ac18bbde3507b by testing.

CVE-2017-11605
https://bugzilla.redhat.com/show_bug.cgi?id=1474019 has POC
https://github.com/sass/libsass/issues/2682 upstream does not know status.
Reverse git bisection between 3.6.5 and 3.6.6 using the POC and ASAN leads to as the fix 648f763ede97f9a2c2c843a0a18ac18bbde3507b same commit as for CVE-2017-11608.

CVE-2017-11555
https://bugzilla.redhat.com/show_bug.cgi?id=1471782 has POC
https://security-tracker.debian.org/tracker/CVE-2017-11555 attrbutes fix to https://github.com/sass/libsass/commit/946ef4995bee1b19de581b69850e1eb841c06b12 which was first included in 3.5.0.
Looks to be https://github.com/sass/libsass/commit/a3c3a76beea0f6adbba6659258c16caa52f42dfa which was first included in 3.4.6.
Confirmed fixed by a3c3a76beea0f6adbba6659258c16caa52f42dfa by testing.

CVE-2017-11554
https://bugzilla.redhat.com/show_bug.cgi?id=1471780 has POC
https://github.com/sass/libsass/issues/2445
https://security-tracker.debian.org/tracker/CVE-2017-11554 attributes fix to https://github.com/sass/libsass/commit/7664114543757e932f5b1a2ff5295aa9b34f8623 which was first included in 3.5.0.
Looks to be https://github.com/sass/libsass/commit/6c8bbdcee9c77e02639cd88ef11d16df87be36f5 which was first included in 3.4.6.
Confirmed fixed by 6c8bbdcee9c77e02639cd88ef11d16df87be36f5 by testing.

Loading...