[Pkg-sass-devel] Bug#866672: libsass: CVE-2017-10687: heap based buffer overflow

Salvatore Bonaccorso carnil at debian.org
Fri Jun 30 18:40:58 UTC 2017 

Source: libsass
Version: 3.4.3-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for libsass.

CVE-2017-10687[0]:
| In LibSass 3.4.5, there is a heap-based buffer over-read in the
| function json_mkstream() in sass_context.cpp. A crafted input will lead
| to a remote denial of service attack.

With an ASAN build of libsass:

LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libasan.so.3.0.0 sassc ./POC1
=================================================================
==21164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f315 at pc 0x7f4e93272f4f bp 0x7ffeb6ff7e40 sp 0x7ffeb6ff75f0
READ of size 78 at 0x61d00001f315 thread T0
    #0 0x7f4e93272f4e  (/usr/lib/x86_64-linux-gnu/libasan.so.3.0.0+0x5cf4e)
    #1 0x7f4e92e1f7f6 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) /usr/include/c++/6/bits/basic_string.tcc:225
    #2 0x7f4e92e1ccb4 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char const*>(char const*, char const*, std::__false_type) /usr/include/c++/6/bits/basic_string.h:196
    #3 0x7f4e92e1a3b8 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*) /usr/include/c++/6/bits/basic_string.h:215
    #4 0x7f4e92e189f1 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string<char const*, void>(char const*, char const*, std::allocator<char> const&) /usr/include/c++/6/bits/basic_string.h:552
    #5 0x7f4e92f455ba in handle_error src/sass_context.cpp:91
    #6 0x7f4e92f466c8 in handle_errors src/sass_context.cpp:200
    #7 0x7f4e92f469d1 in sass_parse_block src/sass_context.cpp:247
    #8 0x7f4e92f474ba in sass_compiler_parse src/sass_context.cpp:471
    #9 0x7f4e92f46d07 in sass_compile_context src/sass_context.cpp:359
    #10 0x7f4e92f47395 in sass_compile_file_context src/sass_context.cpp:458
    #11 0x564fbf64a455  (/usr/bin/sassc+0x2455)
    #12 0x564fbf649f7d  (/usr/bin/sassc+0x1f7d)
    #13 0x7f4e91d9d2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #14 0x564fbf649fe9  (/usr/bin/sassc+0x1fe9)

0x61d00001f315 is located 0 bytes to the right of 2197-byte region [0x61d00001ea80,0x61d00001f315)
allocated by thread T0 here:
    #0 0x7f4e932d7cf8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3.0.0+0xc1cf8)
    #1 0x7f4e92e6d881 in Sass::File::read_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) src/file.cpp:395
    #2 0x7f4e92e1461b in Sass::File_Context::parse() src/context.cpp:553
    #3 0x7f4e92f46843 in sass_parse_block src/sass_context.cpp:228
    #4 0x7f4e92f474ba in sass_compiler_parse src/sass_context.cpp:471
    #5 0x7f4e92f46d07 in sass_compile_context src/sass_context.cpp:359
    #6 0x7f4e92f47395 in sass_compile_file_context src/sass_context.cpp:458
    #7 0x564fbf64a455  (/usr/bin/sassc+0x2455)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3.0.0+0x5cf4e) 
Shadow bytes around the buggy address:
  0x0c3a7fffbe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffbe60: 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21164==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10687
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10687
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1466411

Regards,
Salvatore

More information about the pkg-sass-devel mailing list