Security update for libsass (moderate)

An update that fixes 12 vulnerabilities is now available.

Description:

This update for libsass to version 3.6.1 fixes the following issues:

Security issues fixed:

• CVE-2019-6283: Fixed heap-buffer-overflow in
  Sass::Prelexer::parenthese_scope(char const*) (boo#1121943).
• CVE-2019-6284: Fixed heap-based buffer over-read exists in
  Sass:Prelexer:alternatives (boo#1121944).
• CVE-2019-6286: Fixed heap-based buffer over-read exists in
  Sass:Prelexer:skip_over_scopes (boo#1121945).
• CVE-2018-11499: Fixed use-after-free vulnerability in
  sass_context.cpp:handle_error (boo#1096894).
• CVE-2018-19797: Disallowed parent selector in selector_fns arguments
  (boo#1118301).
• CVE-2018-19827: Fixed use-after-free vulnerability exists in the
  SharedPtr class (boo#1118346).
• CVE-2018-19837: Fixed stack overflow in Eval::operator() (boo#1118348).
• CVE-2018-19838: Fixed stack-overflow at IMPLEMENT_AST_OPERATORS
  expansion (boo#1118349).
• CVE-2018-19839: Fixed buffer-overflow (OOB read) against some invalid
  input (boo#1118351).
• CVE-2018-20190: Fixed Null pointer dereference in
  Sass::Eval::operator()(Sass::Supports_Operator*) (boo#1119789).
• CVE-2018-20821: Fixed uncontrolled recursion in
  Sass:Parser:parse_css_variable_value (boo#1133200).
• CVE-2018-20822: Fixed stack-overflow at Sass::Inspect::operator()
  (boo#1133201).

This update was imported from the openSUSE:Leap:15.0:Update update project.

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Backports SLE-15-SP1:

  zypper in -t patch openSUSE-2019-1883=1