Hi,

during the BSP in Gothenburg last weekend I discussed with Jonas how
I could help to put libsass back on track regarding its security
status. We agreed that the best move is to start with triaging the
existing Debian bugs and by identifying the CVE status in upstream's
issue tracker. [0]

Unfortunately upstream does not actively track CVE numbers. After
Anthony Fok asked them about it in mid 2018 [1], they replied that
CVE numbers are only tracked if bug reporters add the CVE numbers
themselves, which several bug reporters have started to do since
then. As a result, CVE tracking on upstream's issue tracker seems to
have improved since mid 2018, but there is no guarantee that this
will persist, so manual vigilance is still required. ;)

Also, for older CVEs this info does not seem to be available in
upstream's issue tracker, and occasionally bug status information can
fall through the cracks during merges, see e.g., #2814
(CVE-2019-6283), #2815 (CVE-2019-6286) and #2816 (CVE-2019-6284): the
git log in the master branch only specifies that #2814 was fixed, but
pull request #2857 specifies that the same commit also fixed #2815
and #2816. [2]

I started by cross-referencing the CVEs (which are explicitly
mentioned in upstream's issue tracker) with upstream fixes:

|----------------+----------------+-------------------------|
| CVE            | Upstream bug # | Fixed in upsteam commit |
|----------------+----------------+-------------------------|
| CVE-2019-6284  | #2816          | 8e681e2                 |
| CVE-2019-6286  | #2815          | 8e681e2                 |
| CVE-2019-6283  | #2814          | 8e681e2                 |
| CVE-2018-19827 | #2782          | b21fb9f                 |
| CVE-2018-19797 | #2779          | e94b5f9                 |
| CVE-2018-11499 | #2643          | 930857c                 |

As mentioned, this only covers recent CVEs, and there is still a lot
of manual triaging needed. Several of the older CVEs seem to have
been fixed "silently" (without explicitly referring to the CVEs), but
that remains to be confirmed. I will try to cross-reference all known
CVEs with upstream issues on github, so we can track if upstream
fixed them already and when.

This is obviously only the first step, but with that information we
can try to identify which CVEs are still relevant for Debian, and
which fixes need to be backported. Over time, we should be able to
get this package back in shape. :)

Kind regards,
Aljoscha

[0] https://github.com/sass/libsass/issues?q=is%3Aissue+cve+is%3Aclosed
[1] https://github.com/sass/libsass/issues/2682
[2] https://github.com/sass/libsass/pull/2857

Reply via email to