Bug 1474937 (CVE-2017-11554, CVE-2017-11555, CVE-2017-11556, CVE-2017-11605, CVE-2017-11608, CVE-2017-12962, CVE-2017-12963, CVE-2017-12964)

Summary: CVE-2017-11554 CVE-2017-11555 CVE-2017-11556 CVE-2017-11605 CVE-2017-11608 CVE-2017-12962 CVE-2017-12963 CVE-2017-12964 libsass: Multiple vulnerabilities
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aurelien
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:55:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1471780, 1471782, 1471786, 1474019, 1474276, 1474938    
Bug Blocks:    

Description Andrej Nemec 2017-07-25 16:13:38 UTC 
Multiple security issues were found in libsass.

CVE-2017-11554

There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

https://bugzilla.redhat.com/show_bug.cgi?id=1471780
https://github.com/sass/libsass/issues/2445

CVE-2017-11555

There is an illegal address access in the Eval::operator function in eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

https://bugzilla.redhat.com/show_bug.cgi?id=1471782

CVE-2017-11556

There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.

https://bugzilla.redhat.com/show_bug.cgi?id=1471786

CVE-2017-11605

There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack.

https://bugzilla.redhat.com/show_bug.cgi?id=1474019
Comment 1 Andrej Nemec 2017-07-25 16:15:00 UTC 
Created libsass tracking bugs for this issue:

Affects: epel-7 [bug 1474938]
Comment 2 Andrej Nemec 2017-07-25 16:18:47 UTC 
CVE-2017-11608

There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.

https://bugzilla.redhat.com/show_bug.cgi?id=1474276
Comment 3 Andrej Nemec 2017-08-31 12:56:42 UTC 
CVE-2017-12962

There are memory leaks in LibSass 3.4.5 triggered by deeply nested
code, such as code with a long sequence of open parenthesis characters,
leading to a remote denial of service attack.

https://bugzilla.redhat.com/show_bug.cgi?id=1482331

CVE-2017-12963

There is an illegal address access in Sass::Eval::operator() in
eval.cpp of LibSass 3.4.5, leading to a remote denial of service
attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable
after the vendor's CVE-2017-11555 fix (available from GitHub after
2017-07-24).

https://bugzilla.redhat.com/show_bug.cgi?id=1482335

CVE-2017-12964

There is a stack consumption issue in LibSass 3.4.5 that is triggered
in the function Sass::Eval::operator() in eval.cpp. It will lead to a
remote denial of service attack.

https://bugzilla.redhat.com/show_bug.cgi?id=1482397