[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: [FD] libcroco multiple vulnerabilities
From: Alan Coopersmith <alan.coopersmith () oracle ! com>
Date: 2020-08-13 17:57:34
Message-ID: 3c159080-5b82-0a64-8fb3-dc4864688d2a () oracle ! com
[Download RAW message or body]
Upstream closed these bugs as WONTFIX today since they have ended
maintenance of the standalone libcroco, as discussed in the comments on
https://gitlab.gnome.org/Archive/libcroco/-/issues/8
(which is a different security fix, for CVE-2020-12825).
-Alan Coopersmith- alan.coopersmith@oracle.com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
On 6/8/17 10:00 AM, Alan Coopersmith wrote:
> These appear to be reported to the maintainers as:
>
> https://bugzilla.gnome.org/show_bug.cgi?id=782647
> https://bugzilla.gnome.org/show_bug.cgi?id=782649
>
> Please include info about the upstream bugs when possible as it helps others
> track when fixes are available.
>
> -Alan Coopersmith- alan.coopersmith@oracle.com
> Oracle Solaris Engineering - https://blogs.oracle.com/alanc
>
> On 06/ 6/17 08:35 PM, qflb.wu wrote:
>> libcroco multiple vulnerabilities
>> ================
>> Author : qflb.wu
>> ===============
>>
>>
>> Introduction:
>> =============
>> Libcroco is a standalone css2 parsing and manipulation library.
>> The parser provides a low level event driven SAC like api and a css object
>> model like api.
>> Libcroco provides a CSS2 selection engine and an experimental xml/css
>> rendering engine.
>>
>>
>> Affected version:
>> =====
>> 0.6.12
>>
>>
>> Vulnerability Description:
>> ==========================
>> 1.
>> the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause
>> a denial of service (memory allocation error) via a crafted CSS file.
>>
>>
>> ./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
>>
>>
>> ==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104)
>> bytes of LargeMmapAllocator: 12
>> ...
>> ==21841==AddressSanitizer CHECK failed:
>> /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68
>> "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
>> ...
>> #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment
>> /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
>> #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token
>> /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
>> #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments
>> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
>> #13 0x7fd78c368a43 in cr_parser_parse_stylesheet
>> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
>> #14 0x7fd78c368a43 in cr_parser_parse
>> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
>> #15 0x480a8e in sac_parse_and_display_locations
>> /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
>> #16 0x480a8e in main
>> /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
>> #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>> #18 0x47c95c in _start
>> (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
>>
>>
>> Reproducer:
>> libcroco_0_6_12_memory_allocation_error.css
>> CVE:
>> CVE-2017-8834
>>
>>
>> 2.
>> The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12
>> can cause a denial of service(infinite loop and CPU consumption) via a crafted
>> CSS file.
>>
>>
>> ./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
>>
>>
>> Reproducer:
>> libcroco_0_6_12_infinite_loop.css
>> CVE:
>> CVE-2017-8871
>>
>>
>> ===============================
>>
>>
>> qflb.wu () dbappsecurity com cn
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic