Debian Bug report logs -
#960527
libcroco: CVE-2020-12825
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#960527
; Package src:libcroco
.
(Wed, 13 May 2020 15:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Wed, 13 May 2020 15:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libcroco
Version: 0.6.13-1
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
Hi,
The following vulnerability was published for libcroco.
CVE-2020-12825[0]:
| libcroco through 0.6.13 has excessive recursion in
| cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-12825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12825
[1] https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#960527
; Package src:libcroco
.
(Wed, 13 May 2020 16:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Wed, 13 May 2020 16:06:04 GMT) (full text, mbox, link).
Message #10 received at 960527@bugs.debian.org (full text, mbox, reply):
On Wed, 13 May 2020 at 17:21:44 +0200, Salvatore Bonaccorso wrote:
> CVE-2020-12825[0]:
> | libcroco through 0.6.13 has excessive recursion in
> | cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.
Mitigation: here are the only things in >= stable that depend on libcroco:
- gnome-shell, cinnamon: I don't think these parse untrusted CSS, only
CSS that comes from GNOME Shell itself or a Shell extension (which can
execute arbitrary code with the user's privileges *anyway*, so they're
inherently trusted).
gnome-shell in unstable contains a cut-down fork of croco, in which
the developers are deleting unused code and redoing what's left in Rust,
using Mozilla's underlying parser; similar reasoning applies to that.
cinnamon is basically a fork of an old version of GNOME Shell, so it's
still using libcroco.
- gettext: seems to be part of term-styled-ostream, an ANSI terminal text
highlighting library[1], rather than parsing anything untrusted.
There is a vendored copy included, but Debian uses the system copy.
- librsvg in stable
In unstable, librsvg was rewritten in Rust, using Mozilla's underlying
parser.
- libccss in stable
This package is unmaintained upstream and was removed from
testing/unstable.
(I suspect the GNOME team might end up orphaning libcroco, now that no
GNOME components depend on it any more.)
I think the only one of those that's potentially of interest from the
point of view of denial-of-service in a long-running process is librsvg in
stable, and even that seems more likely to be used as a batch-mode tool,
via imagemagick or rsvg-convert(1) or similar.
smcv
[1] Yes, really.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#960527
; Package src:libcroco
.
(Wed, 13 May 2020 17:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Wed, 13 May 2020 17:27:02 GMT) (full text, mbox, link).
Message #15 received at 960527@bugs.debian.org (full text, mbox, reply):
Hi Simon,
On Wed, May 13, 2020 at 05:02:32PM +0100, Simon McVittie wrote:
> On Wed, 13 May 2020 at 17:21:44 +0200, Salvatore Bonaccorso wrote:
> > CVE-2020-12825[0]:
> > | libcroco through 0.6.13 has excessive recursion in
> > | cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.
>
> Mitigation: here are the only things in >= stable that depend on libcroco:
>
> - gnome-shell, cinnamon: I don't think these parse untrusted CSS, only
> CSS that comes from GNOME Shell itself or a Shell extension (which can
> execute arbitrary code with the user's privileges *anyway*, so they're
> inherently trusted).
>
> gnome-shell in unstable contains a cut-down fork of croco, in which
> the developers are deleting unused code and redoing what's left in Rust,
> using Mozilla's underlying parser; similar reasoning applies to that.
>
> cinnamon is basically a fork of an old version of GNOME Shell, so it's
> still using libcroco.
>
> - gettext: seems to be part of term-styled-ostream, an ANSI terminal text
> highlighting library[1], rather than parsing anything untrusted.
>
> There is a vendored copy included, but Debian uses the system copy.
>
> - librsvg in stable
>
> In unstable, librsvg was rewritten in Rust, using Mozilla's underlying
> parser.
>
> - libccss in stable
>
> This package is unmaintained upstream and was removed from
> testing/unstable.
>
> (I suspect the GNOME team might end up orphaning libcroco, now that no
> GNOME components depend on it any more.)
>
> I think the only one of those that's potentially of interest from the
> point of view of denial-of-service in a long-running process is librsvg in
> stable, and even that seems more likely to be used as a batch-mode tool,
> via imagemagick or rsvg-convert(1) or similar.
Thanks for your analysis and overview. FWIW, the issue was marked
earlier no-dsa for stretch and buster, so if/whenever a fix arise
might be enough to adress it via a point release.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu May 14 10:20:05 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.