Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix most urgent issues in 2023 #3184

Merged
merged 1 commit into from
Dec 21, 2023
Merged

Conversation

mgreter
Copy link
Contributor

@mgreter mgreter commented Dec 15, 2023

  • Fix recursion when resolving parents
  • Fix potential memory leak in sass_not
  • Fix potential NPE in selector list inspector

- Fix recursion when resolving parents
- Fix potential memory leak in `sass_not`
- Fix potential NPE in selector list inspector
@mgreter
Copy link
Contributor Author

mgreter commented Dec 15, 2023

FWIW sass-spec has diverted too much to still support LibSass CI/CD.
Tested via perl-libsass, and didn't see any regressions there.

@connorskees
Copy link

connorskees commented Dec 15, 2023

This is tangential, but if you're merging changes into libsass, is there any chance sass/sassc#268 could be merged? I'm not sure how one can build sassc in a script without this change applied.

@mgreter
Copy link
Contributor Author

mgreter commented Dec 15, 2023

This is tangential, but if you're merging changes into libsass, is there any chance sass/sassc#268 could be merged? I'm not sure how one can build sassc in a script without this change applied.

Check https://github.com/sass/libsass/blob/master/docs/build.md
E.g. SASS_LIBSASS_PATH=/foo/bar/libsass make ... (AFAIR).

Edit: by default sassc expects libsass in its parent directory, e.g

# ls libsass
./sass-spec
./sassc
...

@jubalh
Copy link

jubalh commented Dec 15, 2023

I ran these changed against POCs for: CVE-2022-43357, CVE-2022-43358 and CVE-2022-26592. All of these issues are fixed. Thanks @mgreter !

@mgreter mgreter merged commit 7037f03 into sass:master Dec 21, 2023
0 of 26 checks passed
@mgreter
Copy link
Contributor Author

mgreter commented Dec 22, 2023

FWIW Added MSI installers to the 3.6.6 release after some hasle; plugins still seem to work ;)

math{ sin42: sin(42); }

image

kraj pushed a commit to YoeDistro/meta-openembedded that referenced this pull request Dec 20, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.

[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
    are not present in this repository.

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/

Signed-off-by: Peter Marko <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this pull request Dec 21, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.

[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
    are not present in this repository.

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/

Signed-off-by: Peter Marko <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
daregit pushed a commit to daregit/yocto-combined that referenced this pull request Dec 21, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.

[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
    are not present in this repository.

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/

Signed-off-by: Peter Marko <peter.markosiemens.com>
Signed-off-by: Khem Raj <raj.khemgmail.com>
daregit pushed a commit to daregit/yocto-combined that referenced this pull request Dec 22, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.

[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
    are not present in this repository.

[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/

Signed-off-by: Peter Marko <peter.markosiemens.com>
Signed-off-by: Khem Raj <raj.khemgmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants