Summary: | <dev-libs/libcroco-0.6.12-r1: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gnome |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: |
dev-libs/libcroco-0.6.12-r1
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2017-05-09 18:19:33 UTC
I can't really see any issues with the claimed reproducers: before and after is the same: $ csslint-0.6 00267-libcroco-heapoverflow-cr_input_read_byte parsing error: 1:0:could not recognize next production $ csslint-0.6 00268-libcroco-outside-long parsing error: 1:0:could not recognize next production parsing error: 1:2:while parsing rulset: current char should be '{' Otherwise grabbed the relevant parts of the patches into dev-libs/libcroco-0.6.12-r1; please stabilize CVE ID: CVE-2017-7960 Summary: The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file. Published: 2017-04-19T15:59:00.000Z (In reply to Mart Raudsepp from comment #1) > I can't really see any issues with the claimed reproducers: > > before and after is the same: Hello, did you compile it with -fsanitize=undefined ? amd64 stable (In reply to Agostino Sarubbo from comment #3) > Hello, did you compile it with -fsanitize=undefined ? No, I was testing what actual users see and the $URL didn't mention it Stable for HPPA. Reverting unauthorized package list modification by non-maintainer x86 stable sparc stable Stable on alpha. ppc ppc64 stable. arm stable (In reply to Mart Raudsepp from comment #5) > No, I was testing what actual users see and the $URL didn't mention it I thought it was a bit obvious. Anyway, as a dependency of a package classified as A, this is A too. Remaining arches are not part of security supported architectures, proceeding with security. Arches please stabilize as soon as possible to secure package. New GLSA Request filed. ia64 still waiting on stabilization, about to push the release of GLSA. ia64 stable. Maintainer(s), please cleanup. This issue was resolved and addressed in GLSA 201707-13 at https://security.gentoo.org/glsa/201707-13 by GLSA coordinator Thomas Deutschmann (whissi). |