Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618012 (CVE-2017-7960, CVE-2017-7961) - <dev-libs/libcroco-0.6.12-r1: Multiple vulnerabilities
Summary: <dev-libs/libcroco-0.6.12-r1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-7960, CVE-2017-7961
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blogs.gentoo.org/ago/2017/04/...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-09 18:19 UTC by Agostino Sarubbo
Modified: 2017-07-09 20:50 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/libcroco-0.6.12-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-09 18:19:33 UTC
Details at $URL.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mart Raudsepp gentoo-dev 2017-05-09 22:28:52 UTC
I can't really see any issues with the claimed reproducers:

before and after is the same:

$ csslint-0.6 00267-libcroco-heapoverflow-cr_input_read_byte 
parsing error: 1:0:could not recognize next production

$ csslint-0.6 00268-libcroco-outside-long 
parsing error: 1:0:could not recognize next production
parsing error: 1:2:while parsing rulset: current char should be '{'


Otherwise grabbed the relevant parts of the patches into dev-libs/libcroco-0.6.12-r1; please stabilize
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-10 03:29:36 UTC
CVE ID: CVE-2017-7960
   Summary: The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
 Published: 2017-04-19T15:59:00.000Z
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-10 08:26:42 UTC
(In reply to Mart Raudsepp from comment #1)
> I can't really see any issues with the claimed reproducers:
> 
> before and after is the same:

Hello, did you compile it with -fsanitize=undefined ?
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-10 09:34:24 UTC
amd64 stable
Comment 5 Mart Raudsepp gentoo-dev 2017-05-10 11:18:32 UTC
(In reply to Agostino Sarubbo from comment #3)
> Hello, did you compile it with -fsanitize=undefined ?

No, I was testing what actual users see and the $URL didn't mention it
Comment 6 Jeroen Roovers gentoo-dev 2017-05-10 14:14:46 UTC
Stable for HPPA.
Comment 7 Mart Raudsepp gentoo-dev 2017-05-10 14:59:10 UTC
Reverting unauthorized package list modification by non-maintainer
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-10 15:46:16 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-05-12 14:58:19 UTC
sparc stable
Comment 10 Tobias Klausmann gentoo-dev 2017-05-12 18:00:19 UTC
Stable on alpha.
Comment 11 Michael Weber (RETIRED) gentoo-dev 2017-05-15 14:06:29 UTC
ppc ppc64 stable.
Comment 12 Markus Meier gentoo-dev 2017-05-16 04:43:45 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2017-05-18 11:32:46 UTC
(In reply to Mart Raudsepp from comment #5)
> No, I was testing what actual users see and the $URL didn't mention it

I thought it was a bit obvious.

Anyway, as a dependency of a package classified as A, this is A too.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-21 07:37:27 UTC
Remaining arches are not part of security supported architectures, proceeding with security. Arches please stabilize as soon as possible to secure package.

New GLSA Request filed.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2017-06-06 06:32:45 UTC
ia64 still waiting on stabilization, about to push the release of GLSA.
Comment 16 Agostino Sarubbo gentoo-dev 2017-06-10 15:17:59 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-07-09 20:50:48 UTC
This issue was resolved and addressed in
 GLSA 201707-13 at https://security.gentoo.org/glsa/201707-13
by GLSA coordinator Thomas Deutschmann (whissi).