Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621258 (CVE-2017-8834, CVE-2017-8871) - dev-libs/libcroco: multiple vulnerabilities (CVE-2017-{8834,8871})
Summary: dev-libs/libcroco: multiple vulnerabilities (CVE-2017-{8834,8871})
Alias: CVE-2017-8834, CVE-2017-8871
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [cleanup]
Depends on:
Reported: 2017-06-08 22:24 UTC by Ian Zimmerman
Modified: 2023-10-20 09:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2017-06-08 22:24:04 UTC
As reported in the full-disclosure mailing list and then Cced to oss-security [0]:

1. the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.

Upstream: [1]

2. The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.

Upstream: [2]



Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 22:50:30 UTC
Thanks for the report.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 01:51:09 UTC
Maintainer(s): Ping.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-18 20:59:15 UTC
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-19 12:16:47 UTC
Looked again, this isn't fixed upstream and it's just a proposed patch.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-13 18:22:37 UTC
The upstream bugs have been WONTFIX'ed. A comment on each of them:

libcroco is not under development anymore. Its codebase has been archived.

Closing this report as WONTFIX as part of Bugzilla Housekeeping to reflect
reality. Please feel free to reopen this ticket (or rather transfer the project
to GNOME Gitlab, as GNOME Bugzilla is being shut down) if anyone takes the
responsibility for active development again.
Comment 7 Mart Raudsepp gentoo-dev 2020-08-13 19:04:32 UTC
Nothing is going to happen here really. libcroco is dead and vulnerabilities will remain unless someone takes over maintenance (I don't know why anyone would). This means that librsvg-2.40 - the last non-rust version - will remain security vulnerable (it probably is directly too, but indirectly via libcroco at least too), and architectures without rust will not be able to solve that.

However various architectures are rust-capable, but not supported in Gentoo.

And then there's also older gnome-shell and cinnamon and apparently something called dev-libs/eekboard.

Newer gnome-shell bundles libcroco code, hopefully using only a subset and in a more controlled environment.
Comment 8 Ian Zimmerman 2020-08-14 03:10:08 UTC
Hi @leio, can you please explain for the non-gnome-woke here how the rust based versions of rsvg avoid the vulnerability? They still depend on libcroco as far as I can see.
Comment 9 Mart Raudsepp gentoo-dev 2020-08-14 05:59:33 UTC
librsvg-2.48.8 does not depend on libcroco, but uses maintained rust crates that new rust Firefox stuff is using or going to be using for the same purpose (statically linked into
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-25 15:27:19 UTC
(In reply to Sam James from comment #2)
> Patch:

This patch was good enough for openSUSE, so I suggest applying with and call it a day.

I'll do it and see if tests pass.
Comment 11 Hans de Graaff gentoo-dev Security 2023-10-20 09:46:21 UTC
I've updated the status to cleanup but I realize that we can't actually do that unless we want to pull gnome from wd40 arches (currently hppa/ia64/s390/alpha/mips, based on librsvg).

My suggestion would be to drop the arm/ppc/sparc/x86 keywords on librsvg-2.40.21 at least (since all these have a stable newer non-libcroco version).

Perhaps some of the wd40 arches can be dropped as well, but a lot of stuff depends on librsvg so I'm not sure how feasible that is.