[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] libcroco multiple vulnerabilities

To: "qflb.wu" <qflb.wu@xxxxxxxxxxxxxxxxxxxx>, fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] libcroco multiple vulnerabilities
From: Alan Coopersmith <alan.coopersmith@xxxxxxxxxx>
Date: Thu, 8 Jun 2017 10:00:57 -0700

These appear to be reported to the maintainers as:

https://bugzilla.gnome.org/show_bug.cgi?id=782647
https://bugzilla.gnome.org/show_bug.cgi?id=782649

Please include info about the upstream bugs when possible as it helps others
track when fixes are available.

        -Alan Coopersmith-               alan.coopersmith@xxxxxxxxxx
         Oracle Solaris Engineering - https://blogs.oracle.com/alanc

On 06/ 6/17 08:35 PM, qflb.wu wrote:

libcroco multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
Libcroco is a standalone css2 parsing and manipulation library.
The parser provides a low level event driven SAC like api and a css object 
model like api.
Libcroco provides a CSS2 selection engine and an experimental xml/css rendering 
engine.


Affected version:
=====
0.6.12


Vulnerability Description:
==========================
1.
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause 
a denial of service (memory allocation error) via a crafted CSS file.


./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css


==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) 
bytes of LargeMmapAllocator: 12
...
==21841==AddressSanitizer CHECK failed: 
/build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 
"(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
     ...
     #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment 
/home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
     #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token 
/home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
     #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments 
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
     #13 0x7fd78c368a43 in cr_parser_parse_stylesheet 
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
     #14 0x7fd78c368a43 in cr_parser_parse 
/home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
     #15 0x480a8e in sac_parse_and_display_locations 
/home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
     #16 0x480a8e in main 
/home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
     #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
     #18 0x47c95c in _start 
(/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)


     Reproducer:
     libcroco_0_6_12_memory_allocation_error.css
     CVE:
     CVE-2017-8834


2.
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 
can cause a denial of service(infinite loop and CPU consumption) via a crafted 
CSS file.


./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css


Reproducer:
libcroco_0_6_12_infinite_loop.css
CVE:
CVE-2017-8871


===============================


qflb.wu () dbappsecurity com cn










_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] libcroco multiple vulnerabilities
  - From: qflb.wu

Prev by Date: Re: [FD] libquicktime multiple vulnerabilities
Next by Date: [FD] Evolution Script CMS v5.3 - Cross Site Scripting Vulnerability
Previous by thread: [FD] libcroco multiple vulnerabilities
Next by thread: [FD] libquicktime multiple vulnerabilities
Index(es):
- Date
- Thread