Updated libsass packages fix security vulnerabilities
Publication date: 28 Jan 2020Modification date: 28 Jan 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2018-11499 , CVE-2018-19797 , CVE-2018-19827 , CVE-2018-19837 , CVE-2018-19838 , CVE-2018-19839 , CVE-2018-20190 , CVE-2018-20821 , CVE-2018-20822 , CVE-2019-6283 , CVE-2019-6284 , CVE-2019-6286
Description
Use-after-free vulnerability in sass_context.cpp:handle_error (CVE-2018-11499). Null pointer dereference in Sass::Selector_List::populate_extends (CVE-2018-19797). Use-after-free vulnerability exists in the SharedPtr class (CVE-2018-19827). Stack overflow in Eval::operator() (CVE-2018-19837). Stack-overflow at IMPLEMENT_AST_OPERATORS expansion (CVE-2018-19838). Buffer-overflow (OOB read) against some invalid input (CVE-2018-19839). Null pointer dereference in Sass::Eval::operator() (Sass::Supports_Operator*) (CVE-2018-20190). Uncontrolled recursion in Sass:Parser:parse_css_variable_value (CVE-2018-20821). Stack-overflow at Sass::Inspect::operator() (CVE-2018-20822). Heap-buffer-overflow in Sass::Prelexer::parenthese_scope(char const*) (CVE-2019-6283). Heap-based buffer over-read exists in Sass:Prelexer:alternatives (CVE-2019-6284). Heap-based buffer over-read exists in Sass:Prelexer:skip_over_scopes (CVE-2019-6286).
References
- https://bugs.mageia.org/show_bug.cgi?id=25755
- https://lists.opensuse.org/opensuse-updates/2019-07/msg00119.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19827
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19837
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19838
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6283
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286
SRPMS
7/core
- libsass-3.6.1-1.mga7