libsass triage

2 files changed, 14 insertions, 21 deletions

diff --git a/data/CVE/2017.list b/data/CVE/2017.list
index f976aaf924..de73047cc4 100644
--- a/data/CVE/2017.list
+++ b/data/CVE/2017.list
@@ -16940,16 +16940,11 @@ CVE-2017-12966 (The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in l
 CVE-2017-12965 (Session fixation vulnerability in Apache2Triad 1.5.4 allows remote att ...)
 	NOT-FOR-US: Apache2Triad
 CVE-2017-12964 (There is a stack consumption issue in LibSass 3.4.5 that is triggered  ...)
-	- libsass <undetermined> (low; bug #873034)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482397
+	NOTE: Bogus report against historic libsass version
 CVE-2017-12963 (There is an illegal address access in Sass::Eval::operator() in eval.c ...)
-	- libsass <undetermined> (low; bug #873034)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482335
-	NOTE: Similar issue to CVE-2017-11555 but for the issue which remains unfixed
-	NOTE: with the upstream patch for CVE-2017-11555.
+	NOTE: Bogus report against historic libsass version
 CVE-2017-12962 (There are memory leaks in LibSass 3.4.5 triggered by deeply nested cod ...)
-	- libsass <undetermined> (low; bug #873034)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482331
+	NOTE: Bogus report against historic libsass version
 CVE-2017-12961 (There is an assertion abort in the function parse_attributes() in data ...)
 	- pspp 1.0.1-1 (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482436
@@ -20906,8 +20901,7 @@ CVE-2017-11607
 CVE-2017-11606
 	RESERVED
 CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ad ...)
-	- libsass <undetermined> (bug #870184)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474019
+	NOTE: Bogus report against historic libsass version
 CVE-2017-11604
 	RESERVED
 CVE-2017-11603
@@ -21711,11 +21705,9 @@ CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of CHIC
 	[wheezy] - chicken <no-dsa> (Minor issue)
 	NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html
 CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A craf ...)
-	- libsass <undetermined> (bug #868577)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470722
+	NOTE: Bogus report against historic libsass version
 CVE-2017-11341 (There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5.  ...)
-	- libsass <undetermined> (bug #868577)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470714
+	NOTE: Bogus report against historic libsass version
 CVE-2017-11340 (There is a Segmentation fault in the XmpParser::terminate() function i ...)
 	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #868578)
 	NOTE: https://github.com/Exiv2/exiv2/issues/53
@@ -23672,8 +23664,7 @@ CVE-2017-10688 (In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDir
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2712
 	NOTE: Fixed by: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
 CVE-2017-10687 (In LibSass 3.4.5, there is a heap-based buffer over-read in the functi ...)
-	- libsass <undetermined> (low; bug #866672)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1466411
+	NOTE: Bogus report against historic libsass version
 CVE-2017-10686 (In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after ...)
 	{DLA-1041-1}
 	- nasm 2.13.02-0.1 (bug #867988)
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index c2667d8b32..f43b2880f6 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -1036,7 +1036,7 @@ CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (unc
 	NOTE: Possibly introduced after https://github.com/sass/libsass/commit/25c9b4952f5838b615da996035453967d0420f57 (3.4.7)
 	NOTE: Fixed in 3.6.1, but 3.6.3 first to land in unstable
 CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows attackers to cau ...)
-	- libsass <unfixed> (low)
+	- libsass 3.6.3-1 (low)
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/sass/libsass/issues/2658
@@ -4332,10 +4332,11 @@ CVE-2018-19799 (Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexp
 CVE-2018-19798 (Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uplo ...)
 	NOT-FOR-US: Fleetco Fleet Maintenance Management (FMM)
 CVE-2018-19797 (In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Sel ...)
-	- libsass <unfixed>
+	- libsass 3.6.3-1
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2779
+	NOTE: https://github.com/sass/libsass/commit/e94b5f91ec372a84be1f9c0da32cb6e0af0b99fe
 CVE-2018-19796 (An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPre ...)
 	NOT-FOR-US: Ninja Forms plugin for WordPress
 CVE-2018-19795 (ChipsBank UMPTool saves the password to the NAND with a simple substit ...)
@@ -25415,12 +25416,13 @@ CVE-2018-11700
 CVE-2018-11699
 	RESERVED
 CVE-2018-11698 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...)
-	- libsass <unfixed>
+	- libsass 3.6.3-1
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2662
+	NOTE: https://github.com/sass/libsass/commit/8f40dc03e5ab5a8b2ebeb72b31f8d1adbb2fd6ae
 CVE-2018-11697 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...)
-	- libsass <unfixed>
+	- libsass 3.6.3-1
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2656
@@ -25437,7 +25439,7 @@ CVE-2018-11695 (An issue was discovered in LibSass &lt;3.5.3. A NULL pointer der
 	NOTE: https://github.com/sass/libsass/commit/0bc35e3d26922229d5a3e3308860cf0fcee5d1cf (master)
 	NOTE: https://github.com/sass/libsass/commit/e3512120403dc7863a38bf2f122e7523593718ad (3.5.3)
 CVE-2018-11694 (An issue was discovered in LibSass through 3.5.4. A NULL pointer deref ...)
-	- libsass <unfixed> (low)
+	- libsass 3.6.3-1 (low)
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2663