These appear to be reported to the maintainers as: http://ift.tt/2racE0R http://ift.tt/2rFJ1bx Please include info about the upstream bugs when possible as it helps others track when fixes are available. -Alan Coopersmith- alan.coopersmith@oracle.com Oracle Solaris Engineering - http://ift.tt/2rakAzd On 06/ 6/17 08:35 PM, qflb.wu wrote: > libcroco multiple vulnerabilities > ================ > Author : qflb.wu > =============== > > > Introduction: > ============= > Libcroco is a standalone css2 parsing and manipulation library. > The parser provides a low level event driven SAC like api and a css object model like api. > Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine. > > > Affected version: > ===== > 0.6.12 > > > Vulnerability Description: > ========================== > 1. > the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file. > > > ./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css > > > ==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12 > ... > ==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) > ... > #10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462 > #11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218 > #12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634 > #13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538 > #14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381 > #15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960 > #16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001 > #17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) > #18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c) > > > Reproducer: > libcroco_0_6_12_memory_allocation_error.css > CVE: > CVE-2017-8834 > > > 2. > The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file. > > > ./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css > > > Reproducer: > libcroco_0_6_12_infinite_loop.css > CVE: > CVE-2017-8871 > > > =============================== > > > qflb.wu () dbappsecurity com cn > > > > > > > > > > >
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment