Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 13 Aug 2020 10:57:34 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: [FD] libcroco multiple vulnerabilities

Upstream closed these bugs as WONTFIX today since they have ended
maintenance of the standalone libcroco, as discussed in the comments on
https://gitlab.gnome.org/Archive/libcroco/-/issues/8
(which is a different security fix, for CVE-2020-12825).

	-Alan Coopersmith-               alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

On 6/8/17 10:00 AM, Alan Coopersmith wrote:
> These appear to be reported to the maintainers as:
> 
> https://bugzilla.gnome.org/show_bug.cgi?id=782647
> https://bugzilla.gnome.org/show_bug.cgi?id=782649
> 
> Please include info about the upstream bugs when possible as it helps others
> track when fixes are available.
> 
>      -Alan Coopersmith-               alan.coopersmith@...cle.com
>       Oracle Solaris Engineering - https://blogs.oracle.com/alanc
> 
> On 06/ 6/17 08:35 PM, qflb.wu wrote:
>> libcroco multiple vulnerabilities
>> ================
>> Author : qflb.wu
>> ===============
>>
>>
>> Introduction:
>> =============
>> Libcroco is a standalone css2 parsing and manipulation library.
>> The parser provides a low level event driven SAC like api and a css object 
>> model like api.
>> Libcroco provides a CSS2 selection engine and an experimental xml/css 
>> rendering engine.
>>
>>
>> Affected version:
>> =====
>> 0.6.12
>>
>>
>> Vulnerability Description:
>> ==========================
>> 1.
>> the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause 
>> a denial of service (memory allocation error) via a crafted CSS file.
>>
>>
>> ./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
>>
>>
>> ==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) 
>> bytes of LargeMmapAllocator: 12
>> ...
>> ==21841==AddressSanitizer CHECK failed: 
>> /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 
>> "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
>>      ...
>>      #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment 
>> /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
>>      #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token 
>> /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
>>      #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments 
>> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
>>      #13 0x7fd78c368a43 in cr_parser_parse_stylesheet 
>> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
>>      #14 0x7fd78c368a43 in cr_parser_parse 
>> /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
>>      #15 0x480a8e in sac_parse_and_display_locations 
>> /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
>>      #16 0x480a8e in main 
>> /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
>>      #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>>      #18 0x47c95c in _start 
>> (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
>>
>>
>>      Reproducer:
>>      libcroco_0_6_12_memory_allocation_error.css
>>      CVE:
>>      CVE-2017-8834
>>
>>
>> 2.
>> The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 
>> can cause a denial of service(infinite loop and CPU consumption) via a crafted 
>> CSS file.
>>
>>
>> ./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
>>
>>
>> Reproducer:
>> libcroco_0_6_12_infinite_loop.css
>> CVE:
>> CVE-2017-8871
>>
>>
>> ===============================
>>
>>
>> qflb.wu () dbappsecurity com cn
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
> 
> 
> 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.