|
Message-ID: <3c159080-5b82-0a64-8fb3-dc4864688d2a@oracle.com> Date: Thu, 13 Aug 2020 10:57:34 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: "qflb.wu" <qflb.wu@...ppsecurity.com.cn> Cc: oss-security@...ts.openwall.com Subject: Re: Re: [FD] libcroco multiple vulnerabilities Upstream closed these bugs as WONTFIX today since they have ended maintenance of the standalone libcroco, as discussed in the comments on https://gitlab.gnome.org/Archive/libcroco/-/issues/8 (which is a different security fix, for CVE-2020-12825). -Alan Coopersmith- alan.coopersmith@...cle.com Oracle Solaris Engineering - https://blogs.oracle.com/alanc On 6/8/17 10:00 AM, Alan Coopersmith wrote: > These appear to be reported to the maintainers as: > > https://bugzilla.gnome.org/show_bug.cgi?id=782647 > https://bugzilla.gnome.org/show_bug.cgi?id=782649 > > Please include info about the upstream bugs when possible as it helps others > track when fixes are available. > > -Alan Coopersmith- alan.coopersmith@...cle.com > Oracle Solaris Engineering - https://blogs.oracle.com/alanc > > On 06/ 6/17 08:35 PM, qflb.wu wrote: >> libcroco multiple vulnerabilities >> ================ >> Author : qflb.wu >> =============== >> >> >> Introduction: >> ============= >> Libcroco is a standalone css2 parsing and manipulation library. >> The parser provides a low level event driven SAC like api and a css object >> model like api. >> Libcroco provides a CSS2 selection engine and an experimental xml/css >> rendering engine. >> >> >> Affected version: >> ===== >> 0.6.12 >> >> >> Vulnerability Description: >> ========================== >> 1. >> the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause >> a denial of service (memory allocation error) via a crafted CSS file. >> >> >> ./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css >> >> >> ==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) >> bytes of LargeMmapAllocator: 12 >> ... >> ==21841==AddressSanitizer CHECK failed: >> /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 >> "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) >> ... >> #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment >> /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462 >> #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token >> /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218 >> #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments >> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634 >> #13 0x7fd78c368a43 in cr_parser_parse_stylesheet >> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538 >> #14 0x7fd78c368a43 in cr_parser_parse >> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381 >> #15 0x480a8e in sac_parse_and_display_locations >> /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960 >> #16 0x480a8e in main >> /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001 >> #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) >> #18 0x47c95c in _start >> (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c) >> >> >> Reproducer: >> libcroco_0_6_12_memory_allocation_error.css >> CVE: >> CVE-2017-8834 >> >> >> 2. >> The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 >> can cause a denial of service(infinite loop and CPU consumption) via a crafted >> CSS file. >> >> >> ./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css >> >> >> Reproducer: >> libcroco_0_6_12_infinite_loop.css >> CVE: >> CVE-2017-8871 >> >> >> =============================== >> >> >> qflb.wu () dbappsecurity com cn >> >> >> >> >> >> >> >> >> >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.