Fix most urgent issues in 2023 #3184
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Fix recursion when resolving parents - Fix potential memory leak in `sass_not` - Fix potential NPE in selector list inspector
|
FWIW sass-spec has diverted too much to still support LibSass CI/CD. |
This was referenced Dec 15, 2023
|
This is tangential, but if you're merging changes into libsass, is there any chance sass/sassc#268 could be merged? I'm not sure how one can build sassc in a script without this change applied. |
Check https://github.com/sass/libsass/blob/master/docs/build.md Edit: by default sassc expects libsass in its parent directory, e.g |
|
I ran these changed against POCs for: CVE-2022-43357, CVE-2022-43358 and CVE-2022-26592. All of these issues are fixed. Thanks @mgreter ! |
|
FWIW Added MSI installers to the 3.6.6 release after some hasle; plugins still seem to work ;) math{ sin42: sin(42); }
|
kraj
pushed a commit
to YoeDistro/meta-openembedded
that referenced
this pull request
Dec 20, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
kraj
pushed a commit
to YoeDistro/meta-openembedded
that referenced
this pull request
Dec 21, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
daregit
pushed a commit
to daregit/yocto-combined
that referenced
this pull request
Dec 21, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.markosiemens.com>
Signed-off-by: Khem Raj <raj.khemgmail.com>
daregit
pushed a commit
to daregit/yocto-combined
that referenced
this pull request
Dec 22, 2024
This CVE is fixed in current libsass recipe version.
So wrapper around it will also not show this problem.
It's usual usecase is to be statically linked with libsass which is
probably the reason why this is listed as vulnerable component.
[1] links [2] as issue tracker which points to [3] as fix.
[4] as base repository for the recipe is not involved and files from [3]
are not present in this repository.
[1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357
[2] sass/libsass#3177
[3] sass/libsass#3184
[4] https://github.com/sass/sassc/
Signed-off-by: Peter Marko <peter.markosiemens.com>
Signed-off-by: Khem Raj <raj.khemgmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
sass_not