openSUSE-SU-2019:1575

https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/

https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394

GLSA-201707-13

According to the versions of the libcroco package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - ** DISPUTED ** The cr_tknzr_parse_rgb function in     cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an     'outside the range of representable values of type     long' undefined behavior issue, which might allow     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted CSS file. NOTE: third-party     analysis reports 'This is not a security issue in my     view. The conversion surely is truncating the double     into a long value, but there is no impact as the value     is one of the RGB components.'(CVE-2017-7961)

  - The cr_input_new_from_uri function in cr-input.c in     libcroco 0.6.11 and 0.6.12 allows remote attackers to     cause a denial of service (heap-based buffer over-read)     via a crafted CSS file.(CVE-2017-7960)

  - The cr_parser_parse_selector_core function in     cr-parser.c in libcroco 0.6.12 allows remote attackers     to cause a denial of service (infinite loop and CPU     consumption) via a crafted CSS file.(CVE-2017-8871)

  - The cr_tknzr_parse_comment function in cr-tknzr.c in     libcroco 0.6.12 allows remote attackers to cause a     denial of service (memory allocation error) via a     crafted CSS file.(CVE-2017-8834)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libcroco package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - ** DISPUTED ** The cr_tknzr_parse_rgb function in     cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an     'outside the range of representable values of type     long' undefined behavior issue, which might allow     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted CSS file. NOTE: third-party     analysis reports 'This is not a security issue in my     view. The conversion surely is truncating the double     into a long value, but there is no impact as the value     is one of the RGB components.'(CVE-2017-7961)

  - The cr_input_new_from_uri function in cr-input.c in     libcroco 0.6.11 and 0.6.12 allows remote attackers to     cause a denial of service (heap-based buffer over-read)     via a crafted CSS file.(CVE-2017-7960)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libcroco package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - This package provides the necessary development     libraries and include files to allow you to develop     with libcroco.Security Fix(es):The     cr_input_new_from_uri function in cr-input.c in     libcroco 0.6.11 and 0.6.12 allows remote attackers to     cause a denial of service (heap-based buffer over-read)     via a crafted CSS file.(CVE-2017-7960)** DISPUTED **     The cr_tknzr_parse_rgb function in cr-tknzr.c in     libcroco 0.6.11 and 0.6.12 has an 'outside the range of     representable values of type long' undefined behavior     issue, which might allow remote attackers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a crafted CSS file. NOTE:
    third-party analysis reports 'This is not a security     issue in my view. The conversion surely is truncating     the double into a long value, but there is no impact as     the value is one of the RGB     components.'(CVE-2017-7961)The cr_tknzr_parse_comment     function in cr-tknzr.c in libcroco 0.6.12 allows remote     attackers to cause a denial of service (memory     allocation error) via a crafted CSS     file.(CVE-2017-8834)The cr_parser_parse_selector_core     function in cr-parser.c in libcroco 0.6.12 allows     remote attackers to cause a denial of service (infinite     loop and CPU consumption) via a crafted CSS     file.(CVE-2017-8871)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libcroco package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The cr_tknzr_parse_comment function in cr-tknzr.c in     libcroco 0.6.12 allows remote attackers to cause a     denial of service (memory allocation error) via a     crafted CSS file.(CVE-2017-8834)

  - The cr_parser_parse_selector_core function in     cr-parser.c in libcroco 0.6.12 allows remote attackers     to cause a denial of service (infinite loop and CPU     consumption) via a crafted CSS file.(CVE-2017-8871)

  - The cr_input_new_from_uri function in cr-input.c in     libcroco 0.6.11 and 0.6.12 allows remote attackers to     cause a denial of service (heap-based buffer over-read)     via a crafted CSS file.(CVE-2017-7960)

  - ** DISPUTED ** The cr_tknzr_parse_rgb function in     cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an     'outside the range of representable values of type     long' undefined behavior issue, which might allow     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted CSS file. NOTE: third-party     analysis reports 'This is not a security issue in my     view. The conversion surely is truncating the double     into a long value, but there is no impact as the value     is one of the RGB components.'(CVE-2017-7961)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libcroco package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The cr_input_new_from_uri function in cr-input.c in     libcroco 0.6.11 and 0.6.12 allows remote attackers to     cause a denial of service (heap-based buffer over-read)     via a crafted CSS file.(CVE-2017-7960)

  - The cr_tknzr_parse_rgb function in cr-tknzr.c in     libcroco 0.6.11 and 0.6.12 has an 'outside the range of     representable values of type long' undefined behavior     issue, which might allow remote attackers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a crafted CSS file. NOTE:
    third-party analysis reports 'This is not a security     issue in my view. The conversion surely is truncating     the double into a long value, but there is no impact as     the value is one of the RGB components.'(CVE-2017-7961)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libcroco fixes the following issues :

Security issues fixed :

  - CVE-2017-7960: Fixed heap overflow (input: check end of     input before reading a byte) (bsc#1034481). 

  - CVE-2017-7961: Fixed undefined behavior (tknzr: support     only max long rgb values) (bsc#1034482). 

  - CVE-2017-8834: Fixed denial of service (memory     allocation error) via a crafted CSS file (bsc#1043898).

  - CVE-2017-8871: Fixed denial of service (infinite loop     and CPU consumption) via a crafted CSS file     (bsc#1043899).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for libcroco fixes the following issues :

Security issues fixed :

CVE-2017-7960: Fixed heap overflow (input: check end of input before reading a byte) (bsc#1034481).

CVE-2017-7961: Fixed undefined behavior (tknzr: support only max long rgb values) (bsc#1034482).

CVE-2017-8834: Fixed denial of service (memory allocation error) via a crafted CSS file (bsc#1043898).

CVE-2017-8871: Fixed denial of service (infinite loop and CPU consumption) via a crafted CSS file (bsc#1043899).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201707-13 (libcroco: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libcroco. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted CSS       file possibly resulting in a Denial of Service condition or other       unspecified impacts.
  Workaround :

    There is no known workaround at this time.

CVE-2017-7960

A heap-based buffer over-read vulnerability could be triggered remotely via a crafted CSS file to cause a denial of service.

CVE-2017-7961

An 'outside the range of representable values of type long' undefined behavior issue was found in libcroco, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CSS file.

For Debian 7 'Wheezy', these problems have been fixed in version 0.6.6-2+deb7u1.

We recommend that you upgrade your libcroco packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
135637	EulerOS Virtualization 3.0.2.2 : libcroco (EulerOS-SA-2020-1475)	Nessus	Huawei Local Security Checks	high
134540	EulerOS Virtualization for ARM 64 3.0.2.0 : libcroco (EulerOS-SA-2020-1251)	Nessus	Huawei Local Security Checks	high
132140	EulerOS 2.0 SP3 : libcroco (EulerOS-SA-2019-2605)	Nessus	Huawei Local Security Checks	high
131673	EulerOS 2.0 SP2 : libcroco (EulerOS-SA-2019-2520)	Nessus	Huawei Local Security Checks	high
130665	EulerOS 2.0 SP5 : libcroco (EulerOS-SA-2019-2203)	Nessus	Huawei Local Security Checks	high
126036	openSUSE Security Update : libcroco (openSUSE-2019-1575)	Nessus	SuSE Local Security Checks	high
125873	SUSE SLED12 / SLES12 Security Update : libcroco (SUSE-SU-2019:1468-1)	Nessus	SuSE Local Security Checks	high
101344	GLSA-201707-13 : libcroco: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
99603	Debian DLA-909-1 : libcroco security update	Nessus	Debian Local Security Checks	high

CVE-2017-7960

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high