SB2018120407 - Denial of service in LibSass

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Stack-based buffer overflow (CVE-ID: CVE-2018-19837)

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to stack-based buffer overflow in Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp when incorrect parsing of '%' as a modulo operator in parser.cpp. A remote attacker can send a specially crafted sass file, trigger memory corruption and cause the service to crash.

2) Stack-based buffer overflow (CVE-ID: CVE-2018-19838)

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to stack-based buffer overflow in functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). A remote attacker can send a specially crafted sass file, trigger memory corruption and cause the service to crash.

3) Heap-based buffer over-read (CVE-ID: CVE-2018-19839)

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to heap-based buffer over-read in the function handle_error in sass_context.cpp. A remote attacker can send a specially crafted sass file, trigger memory corruption and cause the service to crash.

4) NULL pointer dereference (CVE-ID: CVE-2018-20190)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp. A remote attacker can trick the victim into opening a specially crafted sass input file and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://github.com/sass/libsass/issues/2659
• https://github.com/sass/libsass/issues/2660
• https://github.com/sass/libsass/issues/2657
• https://github.com/sass/libsass/issues/2786