<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Re: [FD] libcroco multiple vulnerabilities
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 13 Aug 2020 10:57:34 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Upstream closed these bugs as WONTFIX today since they have ended
maintenance of the standalone libcroco, as discussed in the comments on
https://gitlab.gnome.org/Archive/libcroco/-/issues/8
(which is a different security fix, for CVE-2020-12825).
-Alan Coopersmith- alan.coopersmith () oracle com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
On 6/8/17 10:00 AM, Alan Coopersmith wrote:
These appear to be reported to the maintainers as:
https://bugzilla.gnome.org/show_bug.cgi?id=782647
https://bugzilla.gnome.org/show_bug.cgi?id=782649
Please include info about the upstream bugs when possible as it helps others
track when fixes are available.
-Alan Coopersmith- alan.coopersmith () oracle com
Oracle Solaris Engineering - https://blogs.oracle.com/alanc
On 06/ 6/17 08:35 PM, qflb.wu wrote:
libcroco multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
Libcroco is a standalone css2 parsing and manipulation library.
The parser provides a low level event driven SAC like api and a css object
model like api.
Libcroco provides a CSS2 selection engine and an experimental xml/css
rendering engine.
Affected version:
=====
0.6.12
Vulnerability Description:
==========================
1.
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause
a denial of service (memory allocation error) via a crafted CSS file.
./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104)
bytes of LargeMmapAllocator: 12
...
==21841==AddressSanitizer CHECK failed:
/build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68
"(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
...
#10 0x7fd78c2fcb4d in cr_tknzr_parse_comment
/home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
#11 0x7fd78c2fcb4d in cr_tknzr_get_next_token
/home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
#12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
#13 0x7fd78c368a43 in cr_parser_parse_stylesheet
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
#14 0x7fd78c368a43 in cr_parser_parse
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
#15 0x480a8e in sac_parse_and_display_locations
/home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
#16 0x480a8e in main
/home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
#17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#18 0x47c95c in _start
(/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
Reproducer:
libcroco_0_6_12_memory_allocation_error.css
CVE:
CVE-2017-8834
2.
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12
can cause a denial of service(infinite loop and CPU consumption) via a crafted
CSS file.
./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
Reproducer:
libcroco_0_6_12_infinite_loop.css
CVE:
CVE-2017-8871
===============================
qflb.wu () dbappsecurity com cn
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Re: Re: [FD] libcroco multiple vulnerabilities Alan Coopersmith (Aug 13)
Re: Re: [FD] libcroco multiple vulnerabilities Alan Coopersmith (Sep 08)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->