SB2018120318 - Multiple vulnerabilities in Sass LibSass

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2018-19826)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters. NOTE: Upstream comments indicate this issue is closed as "won't fix" and "works as intended" by design.

2) Use-after-free (CVE-ID: CVE-2018-19827)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.

3) NULL pointer dereference (CVE-ID: CVE-2018-19797)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted sass input file.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://github.com/sass/libsass/issues/2781
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00047.html
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00051.html
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00027.html
• https://github.com/sass/libsass/issues/2782
• https://github.com/sass/libsass/issues/2779