Bug 1034481 - (CVE-2017-7960) VUL-1: CVE-2017-7960: libcroco: heap overflow (input: check end of input before reading a byte)
(CVE-2017-7960)
VUL-1: CVE-2017-7960: libcroco: heap overflow (input: check end of input befo...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/183738/
CVSSv3.1:SUSE:CVE-2017-7960:4.0:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-17 18:26 UTC by Mikhail Kasimov
Modified: 2020-09-16 11:02 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-04-17 18:26:58 UTC
Ref: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
=============================================================
The complete ASan output:

# csslint-0.6 $FILE
==9246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000007a at pc 0x7f3771a05074 bp 0x7fff426076a0 sp 0x7fff42607698                                                                          
READ of size 1 at 0x60400000007a thread T0                                                                                                                                                                        
    #0 0x7f3771a05073 in cr_input_read_byte /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19                                                                                      
    #1 0x7f3771a3c0ba in cr_tknzr_parse_rgb /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1295:17                                                                                     
    #2 0x7f3771a3c0ba in cr_tknzr_get_next_token /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:2127                                                                                   
    #3 0x7f3771ab6688 in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1179:18                                                                              
    #4 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #5 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #6 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #7 0x7f3771ab9579 in cr_parser_parse_block_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1005:26                                                                            
    #8 0x7f3771a8882a in cr_parser_parse_atrule_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:798:26                                                                            
    #9 0x7f3771ab0644 in cr_parser_parse_stylesheet /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c                                                                                    
    #10 0x7f3771a8131e in cr_parser_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:4381:26                                                                                      
    #11 0x7f3771a804f1 in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2993:18                                                                                 
    #12 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18                                                                            
    #13 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18                                                                                               
    #14 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997                                                                                                         
    #15 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                       
    #16 0x41a9b8 in _init (/usr/bin/csslint-0.6+0x41a9b8)

0x60400000007a is located 0 bytes to the right of 42-byte region 
[0x604000000050,0x60400000007a)
allocated by thread T0 here:
    #0 0x4da285 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f377168a1a0 in g_malloc0 /tmp/portage/dev-libs/glib-2.48.2/work/glib-2.48.2/glib/gmem.c:124
    #2 0x7f3771a00c4d in cr_input_new_from_buf /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:151:26
    #3 0x7f3771a027d6 in cr_input_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:251:26
    #4 0x7f3771a22797 in cr_tknzr_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1642:17
    #5 0x7f3771a8047c in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2986:17
    #6 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18
    #7 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18
    #8 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997
    #9 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19 in cr_input_read_byte
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[02]
  0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9246==ABORTING

Commit fix:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394

Reproducer:
https://github.com/asarubbo/poc/blob/master/00267-libcroco-heapoverflow-cr_input_read_byte

CVE: N/A
=============================================================

(open-)SUSE:

https://software.opensuse.org/package/libcroco

0.6.5 (TW, official repo)
0.6.11 (42.2, official repo)
0.6.8 (42.1, official repo)
Comment 1 Mikhail Kasimov 2017-04-17 18:30:57 UTC
=========================
Affected version:
0.6.11 and 0.6.12

Fixed version:
0.6.13 (not released atm)
=========================
Comment 2 Mikhail Kasimov 2017-04-19 19:27:57 UTC
CVE-2017-7960 's been assigned: https://nvd.nist.gov/vuln/detail/CVE-2017-7960
Comment 3 Swamp Workflow Management 2019-05-03 20:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1034481) was mentioned in
https://build.opensuse.org/request/show/700495 Factory / libcroco
Comment 5 Swamp Workflow Management 2019-05-23 11:25:43 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2019-06-20.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64288
Comment 6 Swamp Workflow Management 2019-06-12 13:10:51 UTC
SUSE-SU-2019:1468-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1034481,1034482,1043898,1043899
CVE References: CVE-2017-7960,CVE-2017-7961,CVE-2017-8834,CVE-2017-8871
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libcroco-0.6.11-12.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libcroco-0.6.11-12.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    libcroco-0.6.11-12.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    libcroco-0.6.11-12.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    libcroco-0.6.11-12.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libcroco-0.6.11-12.3.1
SUSE CaaS Platform ALL (src):    libcroco-0.6.11-12.3.1
SUSE CaaS Platform 3.0 (src):    libcroco-0.6.11-12.3.1
OpenStack Cloud Magnum Orchestration 7 (src):    libcroco-0.6.11-12.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-06-18 16:40:34 UTC
openSUSE-SU-2019:1575-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1034481,1034482,1043898,1043899
CVE References: CVE-2017-7960,CVE-2017-7961,CVE-2017-8834,CVE-2017-8871
Sources used:
openSUSE Leap 42.3 (src):    libcroco-0.6.11-5.3.1