Two security issues reported upstream in libcroco have been assigned CVEs: https://bugzilla.gnome.org/show_bug.cgi?id=782647 https://bugzilla.gnome.org/show_bug.cgi?id=782649 No fixes are available yet. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
There seems to be two other older CVEs which I'm not sure we've patched so far: - CVE-2017-7960: https://security-tracker.debian.org/tracker/CVE-2017-7960 - CVE-2017-7961: https://security-tracker.debian.org/tracker/CVE-2017-7961 Those two have upstream patches.
For the reference, all 4 CVEs are considered minor by both Debian and RedHat, and WONTFIX for RHEL [567].
(In reply to Rémi Verschelde from comment #2) > There seems to be two other older CVEs which I'm not sure we've patched so > far: > - CVE-2017-7960: https://security-tracker.debian.org/tracker/CVE-2017-7960 > - CVE-2017-7961: https://security-tracker.debian.org/tracker/CVE-2017-7961 > > Those two have upstream patches. Those two are fixed in Cauldron already by David Walser, but not in Mageia 5.
(In reply to Rémi Verschelde from comment #4) > Those two are fixed in Cauldron already by David Walser, but not in Mageia 5. Mageia 5 is not affected.
Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO
Still no fixes, so no can do for Mageia 5.
Whiteboard: MGA6TOO, MGA5TOO => MGA6TOO
Status comment: (none) => Not fixed upstream as of end of 2017
Status comment: Not fixed upstream as of end of 2017 => Not fixed upstream as of end of 2018
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
openSUSE has issued an advisory for this on June 18: https://lists.opensuse.org/opensuse-updates/2019-06/msg00092.html The new CVEs I just added are fixed in 0.6.13. I'm not sure if the original two are as well.
Status comment: Not fixed upstream as of end of 2018 => (none)Whiteboard: MGA7TOO, MGA6TOO => MGA7TOOSummary: libcroco new security issues CVE-2017-8834 and CVE-2017-8871 => libcroco new security issues CVE-2017-7960, CVE-2017-7961, CVE-2017-8834, and CVE-2017-8871
Still not, CVE-2017-8834 and CVE-2017-8871 are not yet fixed upstream. There is a proposed patch who seems fixes both, but not yet accepted upstream: https://bugzilla.gnome.org/show_bug.cgi?id=782647 https://bugzilla.gnome.org/show_bug.cgi?id=782649#c2
CC: (none) => geiger.david68210
We can borrow the patch from openSUSE then.
Done for both Cauldron and mga7!
Advisory: ======================== Updated libcroco packages fix security vulnerabilities: Heap overflow (input: check end of input before reading a byte) (CVE-2017-7960). Undefined behavior (tknzr: support only max long rgb values) (CVE-2017-7961). Denial of service (memory allocation error) via a crafted CSS file (CVE-2017-8834). Denial of service (infinite loop and CPU consumption) via a crafted CSS file (CVE-2017-8871). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7961 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8834 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8871 https://lists.opensuse.org/opensuse-updates/2019-06/msg00092.html ======================== Updated packages in core/updates_testing: ======================== libcroco0.6_3-0.6.13-1.1.mga7 libcroco-devel-0.6.13-1.1.mga7 libcroco-utils-0.6.13-1.1.mga7 from libcroco-0.6.13-1.1.mga7.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO => (none)Version: Cauldron => 7
MGA7-64 Plasma on Lenovo B50 No installation issues Not much to find with urpmq Tried to fiddle with csslint-0.6 command. $ csslint-0.6 -h Usage: csslint <path to a css file> | csslint -v|--version | csslint --dump-location <path to a css file> | csslint <--evaluate | -e> [--author-sheet <path> --user-sheet <path> --ua-sheet <path> ] --xml <path> --xpath <xpath expression> Googled an example css file (see attachment) and $ csslint-0.6 -v 0.6.12 $ csslint-0.6 --dump-location gistfile.css body { /************************************************ *Parsing location information of the selector ************************************************/ /*body*/ /*line:3 column:1 byte offset:108 */ /*body*/ /*line:3 column:1 byte offset:108 */ margin : 25px; ad a lot more Seems to provide info on each line of the file. Oracle man pages say " csslint-0.6 parses one or more CSS (Cascading Style Sheet) files, spec- ified on the command line. It displays various types of output depend- ing on the options specified. It is useful for detecting errors in the CSS code and in the CSS parser itself. Except when the --dump-location option is used, csslint-0.6 parses a CSS file and builds a CSS object model." and " --dump-location Dumps parsing location information for selec- tors and property declarations." If that al makes sense to someone, I'll be happy to OK the update.
CC: (none) => herman.viaene
Created attachment 11388 [details] example css file
Herman's test included a clean install, and while the output isn't something the layman would understand it doesn't look like it failed. I'll OK it, and validate. Advisory in Comment 11.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0389.html
Status: NEW => RESOLVEDResolution: (none) => FIXED