Advisories ยป MGASA-2020-0049

Updated libsass packages fix security vulnerabilities

Publication date: 28 Jan 2020
Modification date: 28 Jan 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2018-11499 , CVE-2018-19797 , CVE-2018-19827 , CVE-2018-19837 , CVE-2018-19838 , CVE-2018-19839 , CVE-2018-20190 , CVE-2018-20821 , CVE-2018-20822 , CVE-2019-6283 , CVE-2019-6284 , CVE-2019-6286

Description

Use-after-free vulnerability in sass_context.cpp:handle_error
(CVE-2018-11499).

Null pointer dereference in Sass::Selector_List::populate_extends
(CVE-2018-19797).

Use-after-free vulnerability exists in the SharedPtr class
(CVE-2018-19827).

Stack overflow in Eval::operator() (CVE-2018-19837).

Stack-overflow at IMPLEMENT_AST_OPERATORS expansion (CVE-2018-19838).

Buffer-overflow (OOB read) against some invalid input (CVE-2018-19839).

Null pointer dereference in Sass::Eval::operator()
(Sass::Supports_Operator*)
(CVE-2018-20190).

Uncontrolled recursion in Sass:Parser:parse_css_variable_value
(CVE-2018-20821).

Stack-overflow at Sass::Inspect::operator() (CVE-2018-20822).

Heap-buffer-overflow in Sass::Prelexer::parenthese_scope(char const*)
(CVE-2019-6283).

Heap-based buffer over-read exists in Sass:Prelexer:alternatives
(CVE-2019-6284).

Heap-based buffer over-read exists in Sass:Prelexer:skip_over_scopes
(CVE-2019-6286).

References

SRPMS

7/core