[Pkg-sass-devel] Bug#870186: Bug#870186: Bug#870186: libsass: CVE-2017-11608
Jonas Smedegaard
jonas at jones.dk
Mon Mar 11 16:47:56 GMT 2019
Quoting Salvatore Bonaccorso (2019-03-11 17:14:31)
> Control: fixed -1 3.4.6-1
>
> Hi,
>
> On Mon, Mar 11, 2019 at 01:49:36PM +0100, Jonas Smedegaard wrote:
> > Quoting Jonas Smedegaard (2019-03-11 13:43:41)
> > > POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
> > >
> > > Error: Invalid UTF-8 sequence
> > > on line 1 of /attachment.cgi?id=1303540
> > > >> "�d\
> > > -^
> >
> > Correction: Aboce was with libsass1 3.5.5-2 and sassc 3.5.0-1.
>
> Did you build with ASAN to verify?
>
> The issue should be fixed with
> https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b
> which was in 3.4.6 (so indeed the issue does not affect anymore
> sid/buster which included the above commit with the 3.4.6-1 upload).
No, I simply tested with official packaged code.
I have stopped working on the other security bugs against libsass,
because I realize I lack the needed skills. :-(
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-sass-devel/attachments/20190311/53481946/attachment.sig>
More information about the pkg-sass-devel
mailing list