| Summary: | libcroco new security issues CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, and CVE-2017-8871 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, marja11, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | libcroco-0.6.12-2.mga6.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | example css file | ||
|
Description
David Walser
2017-06-10 00:23:24 CEST
David Walser
2017-06-10 00:23:32 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs There seems to be two other older CVEs which I'm not sure we've patched so far: - CVE-2017-7960: https://security-tracker.debian.org/tracker/CVE-2017-7960 - CVE-2017-7961: https://security-tracker.debian.org/tracker/CVE-2017-7961 Those two have upstream patches. For the reference, all 4 CVEs are considered minor by both Debian and RedHat, and WONTFIX for RHEL [567]. (In reply to Rémi Verschelde from comment #2) > There seems to be two other older CVEs which I'm not sure we've patched so > far: > - CVE-2017-7960: https://security-tracker.debian.org/tracker/CVE-2017-7960 > - CVE-2017-7961: https://security-tracker.debian.org/tracker/CVE-2017-7961 > > Those two have upstream patches. Those two are fixed in Cauldron already by David Walser, but not in Mageia 5. (In reply to Rémi Verschelde from comment #4) > Those two are fixed in Cauldron already by David Walser, but not in Mageia 5. Mageia 5 is not affected.
David Walser
2017-07-07 04:24:46 CEST
Whiteboard:
MGA5TOO =>
MGA6TOO, MGA5TOO Still no fixes, so no can do for Mageia 5. Whiteboard:
MGA6TOO, MGA5TOO =>
MGA6TOO
David Walser
2018-02-02 18:13:55 CET
Status comment:
(none) =>
Not fixed upstream as of end of 2017
David Walser
2019-01-21 02:41:58 CET
Status comment:
Not fixed upstream as of end of 2017 =>
Not fixed upstream as of end of 2018
David Walser
2019-06-23 19:24:39 CEST
Whiteboard:
MGA6TOO =>
MGA7TOO, MGA6TOO openSUSE has issued an advisory for this on June 18: https://lists.opensuse.org/opensuse-updates/2019-06/msg00092.html The new CVEs I just added are fixed in 0.6.13. I'm not sure if the original two are as well. Status comment:
Not fixed upstream as of end of 2018 =>
(none) Still not, CVE-2017-8834 and CVE-2017-8871 are not yet fixed upstream. There is a proposed patch who seems fixes both, but not yet accepted upstream: https://bugzilla.gnome.org/show_bug.cgi?id=782647 https://bugzilla.gnome.org/show_bug.cgi?id=782649#c2 CC:
(none) =>
geiger.david68210 We can borrow the patch from openSUSE then. Done for both Cauldron and mga7! Advisory: ======================== Updated libcroco packages fix security vulnerabilities: Heap overflow (input: check end of input before reading a byte) (CVE-2017-7960). Undefined behavior (tknzr: support only max long rgb values) (CVE-2017-7961). Denial of service (memory allocation error) via a crafted CSS file (CVE-2017-8834). Denial of service (infinite loop and CPU consumption) via a crafted CSS file (CVE-2017-8871). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7961 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8871 https://lists.opensuse.org/opensuse-updates/2019-06/msg00092.html ======================== Updated packages in core/updates_testing: ======================== libcroco0.6_3-0.6.13-1.1.mga7 libcroco-devel-0.6.13-1.1.mga7 libcroco-utils-0.6.13-1.1.mga7 from libcroco-0.6.13-1.1.mga7.src.rpm Assignee:
pkg-bugs =>
qa-bugs MGA7-64 Plasma on Lenovo B50
No installation issues
Not much to find with urpmq
Tried to fiddle with csslint-0.6 command.
$ csslint-0.6 -h
Usage: csslint <path to a css file>
| csslint -v|--version
| csslint --dump-location <path to a css file>
| csslint <--evaluate | -e> [--author-sheet <path> --user-sheet <path> --ua-sheet <path>
] --xml <path> --xpath <xpath expression>
Googled an example css file (see attachment) and
$ csslint-0.6 -v
0.6.12
$ csslint-0.6 --dump-location gistfile.css
body {
/************************************************
*Parsing location information of the selector
************************************************/
/*body*/
/*line:3 column:1 byte offset:108 */
/*body*/
/*line:3 column:1 byte offset:108 */
margin : 25px;
ad a lot more
Seems to provide info on each line of the file.
Oracle man pages say
" csslint-0.6 parses one or more CSS (Cascading Style Sheet) files, spec-
ified on the command line. It displays various types of output depend-
ing on the options specified. It is useful for detecting errors in the
CSS code and in the CSS parser itself.
Except when the --dump-location option is used, csslint-0.6 parses a
CSS file and builds a CSS object model."
and
"
--dump-location Dumps parsing location information for selec-
tors and property declarations."
If that al makes sense to someone, I'll be happy to OK the update.CC:
(none) =>
herman.viaene Created attachment 11388 [details]
example css file
Herman's test included a clean install, and while the output isn't something the layman would understand it doesn't look like it failed. I'll OK it, and validate. Advisory in Comment 11. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Thomas Backlund
2019-12-15 18:40:27 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0389.html Status:
NEW =>
RESOLVED |