As reported in the full-disclosure mailing list and then Cced to oss-security :
1. the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.
2. The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.
Thanks for the report.
Looked again, this isn't fixed upstream and it's just a proposed patch.
The upstream bugs have been WONTFIX'ed. A comment on each of them:
libcroco is not under development anymore. Its codebase has been archived.
Closing this report as WONTFIX as part of Bugzilla Housekeeping to reflect
reality. Please feel free to reopen this ticket (or rather transfer the project
to GNOME Gitlab, as GNOME Bugzilla is being shut down) if anyone takes the
responsibility for active development again.
Nothing is going to happen here really. libcroco is dead and vulnerabilities will remain unless someone takes over maintenance (I don't know why anyone would). This means that librsvg-2.40 - the last non-rust version - will remain security vulnerable (it probably is directly too, but indirectly via libcroco at least too), and architectures without rust will not be able to solve that.
However various architectures are rust-capable, but not supported in Gentoo.
And then there's also older gnome-shell and cinnamon and apparently something called dev-libs/eekboard.
Newer gnome-shell bundles libcroco code, hopefully using only a subset and in a more controlled environment.
Hi @leio, can you please explain for the non-gnome-woke here how the rust based versions of rsvg avoid the vulnerability? They still depend on libcroco as far as I can see.
librsvg-2.48.8 does not depend on libcroco, but uses maintained rust crates that new rust Firefox stuff is using or going to be using for the same purpose (statically linked into librsvg-2.so)
(In reply to Sam James from comment #2)
This patch was good enough for openSUSE, so I suggest applying with https://bugs.gentoo.org/722752#c1 and call it a day.
I'll do it and see if tests pass.
I've updated the status to cleanup but I realize that we can't actually do that unless we want to pull gnome from wd40 arches (currently hppa/ia64/s390/alpha/mips, based on librsvg).
My suggestion would be to drop the arm/ppc/sparc/x86 keywords on librsvg-2.40.21 at least (since all these have a stable newer non-libcroco version).
Perhaps some of the wd40 arches can be dropped as well, but a lot of stuff depends on librsvg so I'm not sure how feasible that is.