Bug 25755

Summary: libsass new security issues CVE-2018-11499, CVE-2018-19797, CVE-2018-19827, CVE-2018-1983[7-9], CVE-2018-20190, CVE-2018-2082[12], CVE-2019-628[346]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, guillomovitch, herman.viaene, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: libsass-3.5.5-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-11-26 17:05:29 CET 
openSUSE has issued an advisory on July 23:
https://lists.opensuse.org/opensuse-updates/2019-07/msg00119.html

The issues are fixed upstream in 3.6.1.
David Walser 2020-01-14 17:44:18 CET

Status comment: (none) => Fixed upstream in 3.6.1

Comment 1 David Walser 2020-01-19 16:21:02 CET 
Updated package uploaded by Guillaume.

Advisory:
========================

Updated libsass packages fix security vulnerabilities:

Use-after-free vulnerability in sass_context.cpp:handle_error
(CVE-2018-11499).

Null pointer dereference in Sass::Selector_List::populate_extends
(CVE-2018-19797).

Use-after-free vulnerability exists in the SharedPtr class (CVE-2018-19827).

Stack overflow in Eval::operator() (CVE-2018-19837).

Stack-overflow at IMPLEMENT_AST_OPERATORS expansion (CVE-2018-19838).

Buffer-overflow (OOB read) against some invalid input (CVE-2018-19839).

Null pointer dereference in Sass::Eval::operator()(Sass::Supports_Operator*)
(CVE-2018-20190).

Uncontrolled recursion in Sass:Parser:parse_css_variable_value
(CVE-2018-20821).

Stack-overflow at Sass::Inspect::operator() (CVE-2018-20822).

Heap-buffer-overflow in Sass::Prelexer::parenthese_scope(char const*)
(CVE-2019-6283).

Heap-based buffer over-read exists in Sass:Prelexer:alternatives
(CVE-2019-6284).

Heap-based buffer over-read exists in Sass:Prelexer:skip_over_scopes
(CVE-2019-6286).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19837
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20821
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6283
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6286
https://lists.opensuse.org/opensuse-updates/2019-07/msg00119.html
========================

Updated packages in core/updates_testing:
========================
libsass0-3.6.1-1.mga7
libsass-devel-3.6.1-1.mga7

from libsass-3.6.1-1.mga7.src.rpm

Status comment: Fixed upstream in 3.6.1 => (none)
CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs
Summary: libsass new security issues CVE-2018-19797, CVE-2018-19827, CVE-2018-20190, CVE-2018-2082[12], CVE-2019-628[346] => libsass new security issues CVE-2018-11499, CVE-2018-19797, CVE-2018-19827, CVE-2018-1983[7-9], CVE-2018-20190, CVE-2018-2082[12], CVE-2019-628[346]

Comment 2 Herman Viaene 2020-01-20 14:41:24 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
No previous update found on this, so hunting
# urpmq --whatrequires-recursive lib64sass0
lib64sass0
sassc
Googled for some example on sassc, but this is really developer stuff.
Up to the higher powers to decide to OK on clean install.

CC: (none) => herman.viaene

Comment 3 Len Lawrence 2020-01-20 20:12:05 CET 
@Herman.  I checked out the POC on this.  The first CVE yields one: there is a file but no indication of what command to run with it.

Tried a guess:
$ sassc -t nested ./SESSION000:id:000072,sig:06,src:004062,op:flip1,pos:50
Error: Invalid CSS after "&": expected selector, was "�hover lrgba(100, 1"
        on line 1 of [SELECTOR], in function `selector-nest`
        from line 3 of SESSION000:id:000072,sig:06,src:004062,op:flip1,pos:50
>> /home/lcl/Downloads/
   ^

That does not look right.  The original asan report ends with an ABORT and I suspect that any other POC would give similarly inconclusive results.  Tried adding a dummy output file but still saw the  
>> /home/lcl/Downloads/
   ^
comment.

sass is defined somewhere as a preprocessor for CSS so if you are not into website building it is better to pass on that and just push it on a clean install.  My ha'porth.

CC: (none) => tarazed25

Comment 4 Herman Viaene 2020-01-23 10:53:32 CET 
@Len

Since no one else dipped his/her toe into it, I follow your suggestion: OK on clean install.

Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-01-23 20:47:37 CET 
Sometimes that's all we can do. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2020-01-27 19:37:28 CET

Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-01-28 08:54:18 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0049.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED