libsass-3_6_5-1-3.6.5-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10988-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libsass-3_6_5-1-3.6.5-1.2 on GA media These are all security issues fixed in the libsass-3_6_5-1-3.6.5-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10988 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-11499/ SUSE CVE CVE-2018-11499 page https://www.suse.com/security/cve/CVE-2018-19797/ SUSE CVE CVE-2018-19797 page https://www.suse.com/security/cve/CVE-2018-19827/ SUSE CVE CVE-2018-19827 page https://www.suse.com/security/cve/CVE-2018-19837/ SUSE CVE CVE-2018-19837 page https://www.suse.com/security/cve/CVE-2018-19838/ SUSE CVE CVE-2018-19838 page https://www.suse.com/security/cve/CVE-2018-19839/ SUSE CVE CVE-2018-19839 page https://www.suse.com/security/cve/CVE-2018-20190/ SUSE CVE CVE-2018-20190 page https://www.suse.com/security/cve/CVE-2018-20821/ SUSE CVE CVE-2018-20821 page https://www.suse.com/security/cve/CVE-2018-20822/ SUSE CVE CVE-2018-20822 page https://www.suse.com/security/cve/CVE-2019-6283/ SUSE CVE CVE-2019-6283 page https://www.suse.com/security/cve/CVE-2019-6284/ SUSE CVE CVE-2019-6284 page https://www.suse.com/security/cve/CVE-2019-6286/ SUSE CVE CVE-2019-6286 page openSUSE Tumbleweed libsass-3_6_5-1-3.6.5-1.2 libsass-devel-3.6.5-1.2 libsass-3_6_5-1-3.6.5-1.2 as a component of openSUSE Tumbleweed libsass-devel-3.6.5-1.2 as a component of openSUSE Tumbleweed A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact. CVE-2018-11499 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-11499.html CVE-2018-11499 https://bugzilla.suse.com/1096894 SUSE Bug 1096894 In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file. CVE-2018-19797 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19797.html CVE-2018-19797 https://bugzilla.suse.com/1118301 SUSE Bug 1118301 In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact. CVE-2018-19827 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19827.html CVE-2018-19827 https://bugzilla.suse.com/1118346 SUSE Bug 1118346 In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Expression*) inside eval.cpp allows attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, because of certain incorrect parsing of '%' as a modulo operator in parser.cpp. CVE-2018-19837 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19837.html CVE-2018-19837 https://bugzilla.suse.com/1118348 SUSE Bug 1118348 In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy(). CVE-2018-19838 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19838.html CVE-2018-19838 https://bugzilla.suse.com/1118349 SUSE Bug 1118349 In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file. CVE-2018-19839 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-19839.html CVE-2018-19839 https://bugzilla.suse.com/1118351 SUSE Bug 1118351 In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Eval::operator()(Sass::Supports_Operator*) in eval.cpp may cause a Denial of Service (application crash) via a crafted sass input file. CVE-2018-20190 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20190.html CVE-2018-20190 https://bugzilla.suse.com/1119789 SUSE Bug 1119789 The parsing component in LibSass through 3.5.5 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Parser::parse_css_variable_value in parser.cpp). CVE-2018-20821 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20821.html CVE-2018-20821 https://bugzilla.suse.com/1133200 SUSE Bug 1133200 LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrolled recursion in Sass::Complex_Selector::perform in ast.hpp and Sass::Inspect::operator in inspect.cpp). CVE-2018-20822 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-20822.html CVE-2018-20822 https://bugzilla.suse.com/1133201 SUSE Bug 1133201 In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::parenthese_scope in prelexer.hpp. CVE-2019-6283 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6283.html CVE-2019-6283 https://bugzilla.suse.com/1121943 SUSE Bug 1121943 In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::alternatives in prelexer.hpp. CVE-2019-6284 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6284.html CVE-2019-6284 https://bugzilla.suse.com/1121944 SUSE Bug 1121944 In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skip_over_scopes in prelexer.hpp when called from Sass::Parser::parse_import(), a similar issue to CVE-2018-11693. CVE-2019-6286 openSUSE Tumbleweed:libsass-3_6_5-1-3.6.5-1.2 openSUSE Tumbleweed:libsass-devel-3.6.5-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6286.html CVE-2019-6286 https://bugzilla.suse.com/1121945 SUSE Bug 1121945