The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp). Reference: https://github.com/sass/libsass/issues/2658
Created libsass tracking bugs for this issue: Affects: fedora-all [bug 1706051]
Created libsass tracking bugs for this issue: Affects: epel-7 [bug 1706052]
First vulnerable commit: https://github.com/sass/libsass/commit/efd97dae376de50b3e6ed724337c4f274a21491d
Upstream patch: https://github.com/sass/libsass/commit/f2db04883e5fff4e03777dcc1eb60d4373c45be1
Statement: This issue did not affect the versions of libsass as shipped with Red Hat Enterprise Linux 8 as the flaw was introduced in a newer version of the library.