Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

Whitesource scan detected security vulnerability in Libsass < 3.5.5 #2720

Closed
joginds4 opened this issue Aug 21, 2019 · 2 comments
Closed

Whitesource scan detected security vulnerability in Libsass < 3.5.5 #2720

joginds4 opened this issue Aug 21, 2019 · 2 comments

Comments

@joginds4
Copy link

Hi Node-Sass team,

Whitesource (Opensource) scan detected security vulnerability on Libsass < 3.5.5 which is being pushed by node-sass v4.12.0. Here are the details:

  • NPM version (npm -v): 5.6.0
  • Node version (node -v): 8.9.4
  • Node Process (node -p process.versions):{ http_parser: '2.7.0', node: '8.9.4', v8: '6.1.534.50',
    uv: '1.15.0', zlib: '1.2.11', ares: '1.10.1-DEV', modules: '57', nghttp2: '1.25.0', openssl: '1.0.2n', icu: '59.1', unicode: '9.0', cldr: '31.0.1', tz: '2017b' }
  • Node Platform (node -p process.platform): win32 (dev), linux (prod)
  • Node architecture (node -p process.arch): x64
  • node-sass version (node -p "require('node-sass').info"):
    node-sass 4.12.0 (Wrapper) [JavaScript]
    libsass 3.5.4 (Sass Compiler) [C/C++]
  • npm node-sass versions (npm ls node-sass): -- node-sass@4.12.0

### Vulnerability details:

Name: CVE-2018-11499
Description: A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish date: 2018-05-26
URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499

Can anyone plz resolve this issue and publish is new node-sass version containing upgraded package of Libsass i.e. greater than or equals to 3.5.5.?

Regards,
Joginder

@sass sass deleted a comment from meetdheeraj Aug 28, 2019
@danielgefen
Copy link

Whitesource recommended upgrading LibSass to 3.6.0 due the following vulnerabilities that were fixed:
sass/libsass#2656
sass/libsass#2781
sass/libsass#2658
sass/libsass#2643
sass/libsass#2786

Could you please update node-sass and support LibSass 3.6.0?

@nschonni
Copy link
Contributor

nschonni commented Oct 5, 2019

Bumping it is already tracked in #2685

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants