Bug#870186: [Pkg-sass-devel] Bug#870186: libsass: CVE-2017-11608

2019-03-11 Thread Salvatore Bonaccorso 
Control: fixed -1 3.4.6-1

Hi,

On Mon, Mar 11, 2019 at 01:49:36PM +0100, Jonas Smedegaard wrote:
> Quoting Jonas Smedegaard (2019-03-11 13:43:41)
> > POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
> > 
> > Error: Invalid UTF-8 sequence
> > on line 1 of /attachment.cgi?id=1303540
> > >> "�d\
> >-^
> 
> Correction: Aboce was with libsass1 3.5.5-2 and sassc 3.5.0-1.

Did you build with ASAN to verify?

The issue should be fixed with
https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b
which was in 3.4.6 (so indeed the issue does not affect anymore
sid/buster which included the above commit with the 3.4.6-1 upload).

Regards,
Salvatore

Bug#870186: [Pkg-sass-devel] Bug#870186: libsass: CVE-2017-11608

2019-03-11 Thread Jonas Smedegaard 
Quoting Jonas Smedegaard (2019-03-11 13:43:41)
> POC on Debian stretch with libsass1 3.4.3-1 and sassc 3.4.2-1:
> 
> Error: Invalid UTF-8 sequence
> on line 1 of /attachment.cgi?id=1303540
> >> "�d\
>-^

Correction: Aboce was with libsass1 3.5.5-2 and sassc 3.5.0-1.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature