CVE-2018-19838

Name	CVE-2018-19838
Description	In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libsass (PTS)	bullseye	3.6.4+20201122-1	fixed
	bookworm	3.6.5+20220909-1	fixed
	forky, sid, trixie	3.6.5+20231221-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libsass	source	(unstable)	3.6.3-1	low

Notes

[buster] - libsass <no-dsa> (Minor issue)
[stretch] - libsass <no-dsa> (Minor issue)
https://github.com/sass/libsass/issues/2660
Fixed in 3.6.1, but 3.6.3 first to land in unstable