Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 618012 (CVE-2017-7960, CVE-2017-7961)

Summary: <dev-libs/libcroco-0.6.12-r1: Multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
Whiteboard: A3 [glsa cve]
Package list:
dev-libs/libcroco-0.6.12-r1
 Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-05-09 18:19:33 UTC 
Details at $URL.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mart Raudsepp gentoo-dev 2017-05-09 22:28:52 UTC 
I can't really see any issues with the claimed reproducers:

before and after is the same:

$ csslint-0.6 00267-libcroco-heapoverflow-cr_input_read_byte 
parsing error: 1:0:could not recognize next production

$ csslint-0.6 00268-libcroco-outside-long 
parsing error: 1:0:could not recognize next production
parsing error: 1:2:while parsing rulset: current char should be '{'


Otherwise grabbed the relevant parts of the patches into dev-libs/libcroco-0.6.12-r1; please stabilize
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-05-10 03:29:36 UTC 
CVE ID: CVE-2017-7960
   Summary: The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
 Published: 2017-04-19T15:59:00.000Z
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-10 08:26:42 UTC 
(In reply to Mart Raudsepp from comment #1)
> I can't really see any issues with the claimed reproducers:
> 
> before and after is the same:

Hello, did you compile it with -fsanitize=undefined ?
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-10 09:34:24 UTC 
amd64 stable
Comment 5 Mart Raudsepp gentoo-dev 2017-05-10 11:18:32 UTC 
(In reply to Agostino Sarubbo from comment #3)
> Hello, did you compile it with -fsanitize=undefined ?

No, I was testing what actual users see and the $URL didn't mention it
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2017-05-10 14:14:46 UTC 
Stable for HPPA.
Comment 7 Mart Raudsepp gentoo-dev 2017-05-10 14:59:10 UTC 
Reverting unauthorized package list modification by non-maintainer
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-10 15:46:16 UTC 
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-12 14:58:19 UTC 
sparc stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-12 18:00:19 UTC 
Stable on alpha.
Comment 11 Michael Weber (RETIRED) gentoo-dev 2017-05-15 14:06:29 UTC 
ppc ppc64 stable.
Comment 12 Markus Meier gentoo-dev 2017-05-16 04:43:45 UTC 
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-05-18 11:32:46 UTC 
(In reply to Mart Raudsepp from comment #5)
> No, I was testing what actual users see and the $URL didn't mention it

I thought it was a bit obvious.

Anyway, as a dependency of a package classified as A, this is A too.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-05-21 07:37:27 UTC 
Remaining arches are not part of security supported architectures, proceeding with security. Arches please stabilize as soon as possible to secure package.

New GLSA Request filed.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2017-06-06 06:32:45 UTC 
ia64 still waiting on stabilization, about to push the release of GLSA.
Comment 16 Agostino Sarubbo gentoo-dev 2017-06-10 15:17:59 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-07-09 20:50:48 UTC 
This issue was resolved and addressed in
 GLSA 201707-13 at https://security.gentoo.org/glsa/201707-13
by GLSA coordinator Thomas Deutschmann (whissi).