Bugzilla – Bug 1034481
VUL-1: CVE-2017-7960: libcroco: heap overflow (input: check end of input before reading a byte)
Last modified: 2020-09-16 11:02:58 UTC
Ref: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ ============================================================= The complete ASan output: # csslint-0.6 $FILE ==9246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000007a at pc 0x7f3771a05074 bp 0x7fff426076a0 sp 0x7fff42607698 READ of size 1 at 0x60400000007a thread T0 #0 0x7f3771a05073 in cr_input_read_byte /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19 #1 0x7f3771a3c0ba in cr_tknzr_parse_rgb /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1295:17 #2 0x7f3771a3c0ba in cr_tknzr_get_next_token /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:2127 #3 0x7f3771ab6688 in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1179:18 #4 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34 #5 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34 #6 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34 #7 0x7f3771ab9579 in cr_parser_parse_block_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1005:26 #8 0x7f3771a8882a in cr_parser_parse_atrule_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:798:26 #9 0x7f3771ab0644 in cr_parser_parse_stylesheet /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c #10 0x7f3771a8131e in cr_parser_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:4381:26 #11 0x7f3771a804f1 in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2993:18 #12 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18 #13 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18 #14 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997 #15 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #16 0x41a9b8 in _init (/usr/bin/csslint-0.6+0x41a9b8) 0x60400000007a is located 0 bytes to the right of 42-byte region [0x604000000050,0x60400000007a) allocated by thread T0 here: #0 0x4da285 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74 #1 0x7f377168a1a0 in g_malloc0 /tmp/portage/dev-libs/glib-2.48.2/work/glib-2.48.2/glib/gmem.c:124 #2 0x7f3771a00c4d in cr_input_new_from_buf /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:151:26 #3 0x7f3771a027d6 in cr_input_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:251:26 #4 0x7f3771a22797 in cr_tknzr_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1642:17 #5 0x7f3771a8047c in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2986:17 #6 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18 #7 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18 #8 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997 #9 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289 SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19 in cr_input_read_byte Shadow bytes around the buggy address: 0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c087fff8000: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[02] 0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9246==ABORTING Commit fix: https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Reproducer: https://github.com/asarubbo/poc/blob/master/00267-libcroco-heapoverflow-cr_input_read_byte CVE: N/A ============================================================= (open-)SUSE: https://software.opensuse.org/package/libcroco 0.6.5 (TW, official repo) 0.6.11 (42.2, official repo) 0.6.8 (42.1, official repo)
========================= Affected version: 0.6.11 and 0.6.12 Fixed version: 0.6.13 (not released atm) =========================
CVE-2017-7960 's been assigned: https://nvd.nist.gov/vuln/detail/CVE-2017-7960
This is an autogenerated message for OBS integration: This bug (1034481) was mentioned in https://build.opensuse.org/request/show/700495 Factory / libcroco
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2019-06-20. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64288
SUSE-SU-2019:1468-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1034481,1034482,1043898,1043899 CVE References: CVE-2017-7960,CVE-2017-7961,CVE-2017-8834,CVE-2017-8871 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libcroco-0.6.11-12.3.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libcroco-0.6.11-12.3.1 SUSE Linux Enterprise Server 12-SP4 (src): libcroco-0.6.11-12.3.1 SUSE Linux Enterprise Server 12-SP3 (src): libcroco-0.6.11-12.3.1 SUSE Linux Enterprise Desktop 12-SP4 (src): libcroco-0.6.11-12.3.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libcroco-0.6.11-12.3.1 SUSE CaaS Platform ALL (src): libcroco-0.6.11-12.3.1 SUSE CaaS Platform 3.0 (src): libcroco-0.6.11-12.3.1 OpenStack Cloud Magnum Orchestration 7 (src): libcroco-0.6.11-12.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1575-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1034481,1034482,1043898,1043899 CVE References: CVE-2017-7960,CVE-2017-7961,CVE-2017-8834,CVE-2017-8871 Sources used: openSUSE Leap 42.3 (src): libcroco-0.6.11-5.3.1