Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621258 (CVE-2017-8834, CVE-2017-8871) - dev-libs/libcroco: multiple vulnerabilities (CVE-2017-{8834,8871})
Summary: dev-libs/libcroco: multiple vulnerabilities (CVE-2017-{8834,8871})
Status: IN_PROGRESS
Alias: CVE-2017-8834, CVE-2017-8871
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://openwall.com/lists/oss-securit...
Whiteboard: A3 [upstream/ebuild cve]
Keywords:
Depends on: 722752
Blocks:
  Show dependency tree
 
Reported: 2017-06-08 22:24 UTC by Ian Zimmerman
Modified: 2021-01-25 18:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2017-06-08 22:24:04 UTC
As reported in the full-disclosure mailing list and then Cced to oss-security [0]:

1. the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.

Upstream: [1]

2. The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.

Upstream: [2]

[0]
http://openwall.com/lists/oss-security/2017/06/08/2

[1]
https://bugzilla.gnome.org/show_bug.cgi?id=782647

[2]
https://bugzilla.gnome.org/show_bug.cgi?id=782649
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-06-08 22:50:30 UTC
Thanks for the report.
Comment 3 John Helmert III gentoo-dev Security 2020-06-19 01:51:09 UTC
Maintainer(s): Ping.
Comment 4 Sam James archtester gentoo-dev Security 2020-07-18 20:59:15 UTC
ping
Comment 5 Sam James archtester gentoo-dev Security 2020-07-19 12:16:47 UTC
Looked again, this isn't fixed upstream and it's just a proposed patch.
Comment 6 John Helmert III gentoo-dev Security 2020-08-13 18:22:37 UTC
The upstream bugs have been WONTFIX'ed. A comment on each of them:

libcroco is not under development anymore. Its codebase has been archived.

Closing this report as WONTFIX as part of Bugzilla Housekeeping to reflect
reality. Please feel free to reopen this ticket (or rather transfer the project
to GNOME Gitlab, as GNOME Bugzilla is being shut down) if anyone takes the
responsibility for active development again.
Comment 7 Mart Raudsepp gentoo-dev 2020-08-13 19:04:32 UTC
Nothing is going to happen here really. libcroco is dead and vulnerabilities will remain unless someone takes over maintenance (I don't know why anyone would). This means that librsvg-2.40 - the last non-rust version - will remain security vulnerable (it probably is directly too, but indirectly via libcroco at least too), and architectures without rust will not be able to solve that.

However various architectures are rust-capable, but not supported in Gentoo.

And then there's also older gnome-shell and cinnamon and apparently something called dev-libs/eekboard.

Newer gnome-shell bundles libcroco code, hopefully using only a subset and in a more controlled environment.
Comment 8 Ian Zimmerman 2020-08-14 03:10:08 UTC
Hi @leio, can you please explain for the non-gnome-woke here how the rust based versions of rsvg avoid the vulnerability? They still depend on libcroco as far as I can see.
Comment 9 Mart Raudsepp gentoo-dev 2020-08-14 05:59:33 UTC
librsvg-2.48.8 does not depend on libcroco, but uses maintained rust crates that new rust Firefox stuff is using or going to be using for the same purpose (statically linked into librsvg-2.so)
Comment 10 Sam James archtester gentoo-dev Security 2020-08-25 15:27:19 UTC
(In reply to Sam James from comment #2)
> Patch:
> https://bug782647.bugzilla-attachments.gnome.org/attachment.cgi?id=374219

This patch was good enough for openSUSE, so I suggest applying with https://bugs.gentoo.org/722752#c1 and call it a day.

I'll do it and see if tests pass.