Hi, during the BSP in Gothenburg last weekend I discussed with Jonas how I could help to put libsass back on track regarding its security status. We agreed that the best move is to start with triaging the existing Debian bugs and by identifying the CVE status in upstream's issue tracker. [0]
Unfortunately upstream does not actively track CVE numbers. After Anthony Fok asked them about it in mid 2018 [1], they replied that CVE numbers are only tracked if bug reporters add the CVE numbers themselves, which several bug reporters have started to do since then. As a result, CVE tracking on upstream's issue tracker seems to have improved since mid 2018, but there is no guarantee that this will persist, so manual vigilance is still required. ;) Also, for older CVEs this info does not seem to be available in upstream's issue tracker, and occasionally bug status information can fall through the cracks during merges, see e.g., #2814 (CVE-2019-6283), #2815 (CVE-2019-6286) and #2816 (CVE-2019-6284): the git log in the master branch only specifies that #2814 was fixed, but pull request #2857 specifies that the same commit also fixed #2815 and #2816. [2] I started by cross-referencing the CVEs (which are explicitly mentioned in upstream's issue tracker) with upstream fixes: |----------------+----------------+-------------------------| | CVE | Upstream bug # | Fixed in upsteam commit | |----------------+----------------+-------------------------| | CVE-2019-6284 | #2816 | 8e681e2 | | CVE-2019-6286 | #2815 | 8e681e2 | | CVE-2019-6283 | #2814 | 8e681e2 | | CVE-2018-19827 | #2782 | b21fb9f | | CVE-2018-19797 | #2779 | e94b5f9 | | CVE-2018-11499 | #2643 | 930857c | As mentioned, this only covers recent CVEs, and there is still a lot of manual triaging needed. Several of the older CVEs seem to have been fixed "silently" (without explicitly referring to the CVEs), but that remains to be confirmed. I will try to cross-reference all known CVEs with upstream issues on github, so we can track if upstream fixed them already and when. This is obviously only the first step, but with that information we can try to identify which CVEs are still relevant for Debian, and which fixes need to be backported. Over time, we should be able to get this package back in shape. :) Kind regards, Aljoscha [0] https://github.com/sass/libsass/issues?q=is%3Aissue+cve+is%3Aclosed [1] https://github.com/sass/libsass/issues/2682 [2] https://github.com/sass/libsass/pull/2857
