Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Re: [FD] libcroco multiple vulnerabilities

Related Vulnerabilities: CVE-2020-12825   CVE-2017-8834   CVE-2017-8871  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Re: [FD] libcroco multiple vulnerabilities

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Alan Coopersmith &lt;alan.coopersmith () oracle com&gt;

Date: Thu, 13 Aug 2020 10:57:34 -0700

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Upstream closed these bugs as WONTFIX today since they have ended
maintenance of the standalone libcroco, as discussed in the comments on
https://gitlab.gnome.org/Archive/libcroco/-/issues/8
(which is a different security fix, for CVE-2020-12825).

        -Alan Coopersmith-               alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/alanc

On 6/8/17 10:00 AM, Alan Coopersmith wrote:
These appear to be reported to the maintainers as:

https://bugzilla.gnome.org/show_bug.cgi?id=782647
https://bugzilla.gnome.org/show_bug.cgi?id=782649

Please include info about the upstream bugs when possible as it helps others
track when fixes are available.

 &nbsp;&nbsp;&nbsp;&nbsp;-Alan Coopersmith-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; alan.coopersmith () oracle com
 &nbsp;&nbsp;&nbsp;&nbsp; Oracle Solaris Engineering - https://blogs.oracle.com/alanc

On 06/ 6/17 08:35 PM, qflb.wu wrote:
libcroco multiple vulnerabilities
================
Author : qflb.wu
===============

Introduction:
=============
Libcroco is a standalone css2 parsing and manipulation library.
The parser provides a low level event driven SAC like api and a css object 
model like api.
Libcroco provides a CSS2 selection engine and an experimental xml/css 
rendering engine.

Affected version:
=====
0.6.12

Vulnerability Description:
==========================
1.
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause 
a denial of service (memory allocation error) via a crafted CSS file.

./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css

==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) 
bytes of LargeMmapAllocator: 12
...
==21841==AddressSanitizer CHECK failed: 
/build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 
"(("unable to mmap" &amp;&amp; 0)) != (0)" (0x0, 0x0)
&nbsp;&nbsp;&nbsp;&nbsp; ...
&nbsp;&nbsp;&nbsp;&nbsp; #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment 
/home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
&nbsp;&nbsp;&nbsp;&nbsp; #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token 
/home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
&nbsp;&nbsp;&nbsp;&nbsp; #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments 
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
&nbsp;&nbsp;&nbsp;&nbsp; #13 0x7fd78c368a43 in cr_parser_parse_stylesheet 
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
&nbsp;&nbsp;&nbsp;&nbsp; #14 0x7fd78c368a43 in cr_parser_parse 
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
&nbsp;&nbsp;&nbsp;&nbsp; #15 0x480a8e in sac_parse_and_display_locations 
/home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
&nbsp;&nbsp;&nbsp;&nbsp; #16 0x480a8e in main 
/home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
&nbsp;&nbsp;&nbsp;&nbsp; #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
&nbsp;&nbsp;&nbsp;&nbsp; #18 0x47c95c in _start 
(/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)

&nbsp;&nbsp;&nbsp;&nbsp; Reproducer:
&nbsp;&nbsp;&nbsp;&nbsp; libcroco_0_6_12_memory_allocation_error.css
&nbsp;&nbsp;&nbsp;&nbsp; CVE:
&nbsp;&nbsp;&nbsp;&nbsp; CVE-2017-8834

2.
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 
can cause a denial of service(infinite loop and CPU consumption) via a crafted 
CSS file.

./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css

Reproducer:
libcroco_0_6_12_infinite_loop.css
CVE:
CVE-2017-8871

===============================

qflb.wu () dbappsecurity com cn

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives &amp; RSS: http://seclists.org/fulldisclosure/

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Re: Re: [FD] libcroco multiple vulnerabilities Alan Coopersmith (Aug 13)

Re: Re: [FD] libcroco multiple vulnerabilities Alan Coopersmith (Sep 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started