[Pkg-sass-devel] Bug#870186: Bug#870186: libsass: CVE-2017-11608
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 11 16:14:31 GMT 2019
Control: fixed -1 3.4.6-1
Hi,
On Mon, Mar 11, 2019 at 01:49:36PM +0100, Jonas Smedegaard wrote:
> Quoting Jonas Smedegaard (2019-03-11 13:43:41)
> > POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
> >
> > Error: Invalid UTF-8 sequence
> > on line 1 of /attachment.cgi?id=1303540
> > >> "�d\
> > -^
>
> Correction: Aboce was with libsass1 3.5.5-2 and sassc 3.5.0-1.
Did you build with ASAN to verify?
The issue should be fixed with
https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b
which was in 3.4.6 (so indeed the issue does not affect anymore
sid/buster which included the above commit with the 3.4.6-1 upload).
Regards,
Salvatore
More information about the pkg-sass-devel
mailing list