Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 8 Jun 2017 10:00:57 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>, fulldisclosure@...lists.org
Cc: oss-security@...ts.openwall.com
Subject: Re: [FD] libcroco multiple vulnerabilities

These appear to be reported to the maintainers as:

https://bugzilla.gnome.org/show_bug.cgi?id=782647
https://bugzilla.gnome.org/show_bug.cgi?id=782649

Please include info about the upstream bugs when possible as it helps others
track when fixes are available.

	-Alan Coopersmith-               alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - https://blogs.oracle.com/alanc

On 06/ 6/17 08:35 PM, qflb.wu wrote:
> libcroco multiple vulnerabilities
> ================
> Author : qflb.wu
> ===============
> 
> 
> Introduction:
> =============
> Libcroco is a standalone css2 parsing and manipulation library.
> The parser provides a low level event driven SAC like api and a css object model like api.
> Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine.
> 
> 
> Affected version:
> =====
> 0.6.12
> 
> 
> Vulnerability Description:
> ==========================
> 1.
> the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.
> 
> 
> ./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
> 
> 
> ==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12
> ...
> ==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
>      ...
>      #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
>      #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
>      #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
>      #13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
>      #14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
>      #15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
>      #16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
>      #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
>      #18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
> 
> 
>      Reproducer:
>      libcroco_0_6_12_memory_allocation_error.css
>      CVE:
>      CVE-2017-8834
> 
> 
> 2.
> The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.
> 
> 
> ./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
> 
> 
> Reproducer:
> libcroco_0_6_12_infinite_loop.css
> CVE:
> CVE-2017-8871
> 
> 
> ===============================
> 
> 
> qflb.wu () dbappsecurity com cn
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.