Headline

CVE-2022-43357: A stack-overflow src/ast_selectors.cpp:557 in Sass::CompoundSelector::has_real_parent_ref() const · Issue #3177 · sass/libsass

Stack overflow vulnerability in ast_selectors.cpp in function Sass::CompoundSelector::has_real_parent_ref in libsass:3.6.5-8-g210218, which can be exploited by attackers to causea denial of service (DoS). Also affects the command line driver for libsass, sassc 3.6.2.

1 year ago

CVE

Open in Source

#vulnerability #ubuntu #linux #dos #git #auth

****1. Description****

A stack-overflow has occurred in Sass::CompoundSelector::has_real_parent_ref() of src/ast_selectors.cpp:557 when running program ./sassc/bin/sassc, this can reproduce on the lattest commit.

****2. Software version info****

$ git log -1 commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -> master, origin/master, origin/HEAD) Merge: 006bbf5c f0605a31 Author: Marcel Greter <[email protected]> Date: Fri Sep 9 20:41:03 2022 +0200

Merge pull request #3176 from LilyWangLL/vcpkg-instructions

Add vcpkg installation instructions

$ ./sassc/bin/sassc --version sassc: 3.6.2 libsass: 3.6.5-8-g210218 sass2scss: 1.1.1 sass: 3.5

****3. System version info****

Ubuntu 20.04.2 LTS Linux 5.4.0-65-generic

****4. Command********5. Result****

AddressSanitizer:DEADLYSIGNAL

==3151197==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe016a7ff8 (pc 0x000000b9c0f5 bp 0x0c1a00000ab2 sp 0x7ffe016a8000 T0) #0 0xb9c0f4 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:557 #1 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474 #2 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365 #3 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337 #4 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564 #5 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474 #6 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365 #7 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337 #8 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564 #9 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474 #10 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365 #11 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337 #12 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564 … #323 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337 #324 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564 #325 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474 #326 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365 #327 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337 #328 0xb9c217 in Sass::CompoundSelector::has_real_parent_ref() const src/ast_selectors.cpp:564 #329 0xb92ed5 in Sass::ComplexSelector::has_real_parent_ref() const src/ast_selectors.cpp:474 #330 0xb92ed5 in Sass::SelectorList::has_real_parent_ref() const src/ast_selectors.cpp:365 #331 0xb929f8 in Sass::PseudoSelector::has_real_parent_ref() const src/ast_selectors.cpp:337

SUMMARY: AddressSanitizer: stack-overflow src/ast_selectors.cpp:557 in Sass::CompoundSelector::has_real_parent_ref() const ==3151197==ABORTING

****6. Impact****

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

****7. POC****

Download: poc2

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale