[Pkg-sass-devel] Bug#900182: Bug#900182: libsass: CVE-2018-11499: heap use-after-free
Jonas Smedegaard
jonas at jones.dk
Mon Mar 11 11:43:16 GMT 2019
control: forwarded -1 https://github.com/sass/libsass/issues/2643
control: tags -1 patch
Quoting Salvatore Bonaccorso (2018-05-27 10:50:20)
> The following vulnerability was published for libsass.
>
> CVE-2018-11499[0]:
> | A use-after-free vulnerability exists in handle_error() in
> | sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be
> | leveraged to cause a denial of service (application crash) or possibly
> | unspecified other impact.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-11499
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
> [1] https://github.com/sass/libsass/issues/2643
This seems to be upstream fix:
https://github.com/sass/libsass/pull/2755/files/e81b722
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-sass-devel/attachments/20190311/03c87acc/attachment.sig>
More information about the pkg-sass-devel
mailing list