Headline

CVE-2022-43358: AddressSanitizer: stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const · Issue #3178 · sass/libsass

Stack overflow vulnerability in ast_selectors.cpp: in function Sass::ComplexSelector::has_placeholder in libsass:3.6.5-8-g210218, which can be exploited by attackers to cause a denial of service (DoS).

1 year ago

CVE

Open in Source

#vulnerability #ubuntu #linux #dos #git #auth

****1. Description****

A stack-overflow has occurred in Sass::ComplexSelector::has_placeholder() of src/ast_selectors.cpp:464 when running program ./sassc/bin/sassc, this can reproduce on the lattest commit.

****2. Software version info****

$ git log -1 commit 2102188d21d2b7577c2b3edb12832e90786a2831 (HEAD -> master, origin/master, origin/HEAD) Merge: 006bbf5c f0605a31 Author: Marcel Greter <[email protected]> Date: Fri Sep 9 20:41:03 2022 +0200

Merge pull request #3176 from LilyWangLL/vcpkg-instructions

Add vcpkg installation instructions

$ ./sassc/bin/sassc --version sassc: 3.6.2 libsass: 3.6.5-8-g210218 sass2scss: 1.1.1 sass: 3.5

****3. System version info****

Ubuntu 20.04.2 LTS Linux 5.4.0-65-generic

****4. Command********5. Result****

WARNING on line 2, column 50 of /libsass/pocs/poc4: In Sass, “&&” means two copies of the parent selector. You probably want to use “and” instead.

WARNING on line 2, column 51 of /libsass/pocs/poc4: In Sass, “&&” means two copies of the parent selector. You probably want to use “and” instead.

AddressSanitizer:DEADLYSIGNAL

==3226316==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe6a56aff8 (pc 0x000000b98979 bp 0x000000000000 sp 0x7ffe6a56b000 T0) #0 0xb98978 in Sass::ComplexSelector::has_placeholder() const src/ast_selectors.cpp:464 #1 0xa2f688 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:36 #2 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52 #3 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22 #4 0xa2ead2 in Sass::Remove_Placeholders::remove_placeholders(Sass::CompoundSelector*) src/remove_placeholders.cpp:29 #5 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42 #6 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52 … #325 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42 #326 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52 #327 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22 #328 0xa2ead2 in Sass::Remove_Placeholders::remove_placeholders(Sass::CompoundSelector*) src/remove_placeholders.cpp:29 #329 0xa2fa01 in Sass::Remove_Placeholders::remove_placeholders(Sass::ComplexSelector*) src/remove_placeholders.cpp:42 #330 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SelectorList*) src/remove_placeholders.cpp:52 #331 0xa2ce1f in Sass::Remove_Placeholders::remove_placeholders(Sass::SimpleSelector*) src/remove_placeholders.cpp:22

SUMMARY: AddressSanitizer: stack-overflow src/ast_selectors.cpp:464 in Sass::ComplexSelector::has_placeholder() const ==3226316==ABORTING

****6. Impact****

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

****7. POC****

Download: poc3

Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale