Bug 1156132 (CVE-2019-18798) - VUL-1: CVE-2019-18798: libsass: heap-based buffer over-read in Sass:weaveParents in ast_sel_weave.cpp
Summary: VUL-1: CVE-2019-18798: libsass: heap-based buffer over-read in Sass:weavePare...
Status: RESOLVED INVALID
Alias: CVE-2019-18798
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: unspecified
Assignee: Cédric Bosdonnat
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/246639/
Whiteboard: CVSSv2:NVD:CVE-2019-18798:4.3:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-07 09:45 UTC by Wolfgang Frisch
Modified: 2024-05-29 16:52 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-11-07 09:45:21 UTC 
CVE-2019-18798

LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::weaveParents
in ast_sel_weave.cpp.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-18798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18798
https://github.com/sass/libsass/issues/2999
Comment 1 Alexandros Toptsoglou 2021-01-28 16:12:03 UTC 
SLE 15-SP2 and Leap 15.2 (inherited by the former) are tracked as affected.
Comment 2 Camila Camargo de Matos 2024-05-29 16:48:41 UTC 
This issue seems to be fixed at version 3.6.3. All affected and currently supported codestreams include libsass at a version higher than 3.6.3.
Comment 3 Camila Camargo de Matos 2024-05-29 16:52:39 UTC 
I will be closing this bug as there are no libsass packages affected by this issue.