[Pkg-sass-devel] Bug#900182: Bug#900182: libsass: CVE-2018-11499: heap use-after-free

Jonas Smedegaard jonas at jones.dk
Mon Mar 11 11:43:16 GMT 2019


control: forwarded -1 https://github.com/sass/libsass/issues/2643
control: tags -1 patch

Quoting Salvatore Bonaccorso (2018-05-27 10:50:20)
> The following vulnerability was published for libsass.
> 
> CVE-2018-11499[0]:
> | A use-after-free vulnerability exists in handle_error() in
> | sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be
> | leveraged to cause a denial of service (application crash) or possibly
> | unspecified other impact.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2018-11499
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
> [1] https://github.com/sass/libsass/issues/2643

This seems to be upstream fix: 
https://github.com/sass/libsass/pull/2755/files/e81b722

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-sass-devel/attachments/20190311/03c87acc/attachment.sig>


More information about the pkg-sass-devel mailing list