Bug 27108 - libcroco new security issue CVE-2020-12825 (and others unfixed due to it being unmaintained)
Summary: libcroco new security issue CVE-2020-12825 (and others unfixed due to it bein...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-14 13:32 CEST by David Walser
Modified: 2021-07-10 22:01 CEST (History)
7 users (show)

See Also:
Source RPM: libcroco-0.6.13-1.1.mga7.src.rpm
CVE: CVE-2020-12825
Status comment:


Attachments

Description David Walser 2020-08-14 13:32:56 CEST
See here:
https://www.openwall.com/lists/oss-security/2020/08/13/3
https://gitlab.gnome.org/Archive/libcroco/-/issues/8

We should drop libcroco if possible if it is dead upstream, but also fix the CVE for Mageia 7 at least if there's a fix.
David Walser 2020-08-14 13:50:17 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-08-17 21:01:08 CEST
No obvious maintainer for this SRPM, so having to assign this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-08-17 21:07:19 CEST
This is GNOME stuff, so should be address by Olav at least for Cauldron.

CC: (none) => olav

Comment 3 David Walser 2020-09-08 15:44:10 CEST
RedHat has issued an advisory for the CVE today (September 8):
https://access.redhat.com/errata/RHSA-2020:3654
Comment 4 David Walser 2020-10-13 16:39:36 CEST
RedHat has issued an advisory for this on September 29:
https://access.redhat.com/errata/RHSA-2020:4072
Comment 5 Olav Vitters 2020-10-13 18:42:26 CEST
libcroco is required by gettext. Apparently gettext bundles it. Fedora uses the bundled one. Aside from gettext it seems it's not used. So IMO: use bundled libcroco for gettext, then obsolete the thing.
Comment 6 David Walser 2020-10-13 19:29:59 CEST
Thanks Olav.  CC'ing Jani, who has done recent work on the gettext package.  We should apply whatever fixes exist for libcroco to the bundled copy.

CC: (none) => jani.valimaa

Comment 7 Jani Välimaa 2020-10-13 20:31:28 CEST
Backported patches mentioned in bug-gettext ml to cauldron's gettext-0.21-3.mga8:
https://lists.gnu.org/archive/html/bug-gettext/2020-08/msg00026.html
Comment 8 David Walser 2020-10-13 20:38:43 CEST
Thanks.  Last needed fix for Cauldron is gettext should obsolete libcroco.
Comment 9 Jani Välimaa 2020-10-13 20:51:00 CEST
Do we need to fix inkscape?

https://gitlab.com/inkscape/inkscape/-/merge_requests/2202
Comment 10 David Walser 2020-10-13 21:21:33 CEST
Looks like it :o(
Comment 11 Jani Välimaa 2020-10-13 21:46:19 CEST
And cinnamon.

https://github.com/linuxmint/cinnamon/pull/9501
Comment 13 Jani Välimaa 2020-10-13 21:54:32 CEST
(In reply to Jani Välimaa from comment #12)
> And gnome-shell.
> 
> https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/
> 7b64eb285dd937b34df71c95188301be50dd1409

It's already fixed in 3.37.91:
* Fix potential stack overflow in libcroco [Michael; !1404]

We need to add bundled(libcroco) provides to gnome-shell.
Comment 14 David Walser 2020-10-13 21:58:10 CEST
(In reply to David Walser from comment #8)
> Thanks.  Last needed fix for Cauldron is gettext should obsolete libcroco.

Please don't forget this.
Comment 15 David Walser 2020-10-14 03:59:52 CEST
Just collecting package lists from today for the eventual update:
libcroco0.6_3-0.6.13-1.2.mga7
libcroco-devel-0.6.13-1.2.mga7
libcroco-utils-0.6.13-1.2.mga7
gettext-0.19.8.1-4.1.mga7
libintl8-0.19.8.1-4.1.mga7
libgettextmisc-0.19.8.1-4.1.mga7
gettext-devel-0.19.8.1-4.1.mga7
gettext-base-0.19.8.1-4.1.mga7

from SRPMS:
libcroco-0.6.13-1.2.mga7.src.rpm
gettext-0.19.8.1-4.1.mga7.src.rpm
Comment 16 David Walser 2020-12-27 20:22:08 CET
(In reply to Jani Välimaa from comment #9)
> Do we need to fix inkscape?
> 
> https://gitlab.com/inkscape/inkscape/-/merge_requests/2202

Fixed upstream in 1.0.1, which is in Cauldron.  Needs backported to Mageia 7.

(In reply to Jani Välimaa from comment #11)
> And cinnamon.
> 
> https://github.com/linuxmint/cinnamon/pull/9501

Fixed upstream in 4.8.3, which is in Cauldron.  Needs backported to Mageia 7.

Mageia 7's gnome-shell uses the system libcroco.

libcroco still needs to be removed from Cauldron.
Comment 17 Nicolas Lécureuil 2020-12-27 21:13:56 CET
Removed from cauldron.

Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7

David Walser 2020-12-27 22:37:02 CET

Status comment: (none) => inkscape and cinnamon need to be patched

Comment 18 David Walser 2021-06-28 21:33:46 CEST
It doesn't look like cinnamon in Mageia 7 has the bundled code, and inkscape's RPM requires lists "libcroco_LIB.so()(64bit)" so I'm not sure I needed to patch it, but I did.  I'm gonna assume for now that was unnecessary and not include it.  Package list therefore in Comment 15.

Assignee: pkg-bugs => qa-bugs
Status comment: inkscape and cinnamon need to be patched => (none)

Comment 19 Thomas Andrews 2021-07-10 16:25:35 CEST
Tested with an HP Probook 6550b, 64-bit Plasma system.

Gettext and dependencies already installed, but after reading the comments, I installed Inkscape to use for the test.

Before the update, I ran Inkscape, and simply because one of the packages was "gettext," I added a text message to the blank drawing, and manipulated it. Size change was fine, but when I went to change the font I did not see all of the fonts available as choices.

Used qarepo for the update, with no installation issues. Ran Inkscape again, and this time I saw several more fonts available when I went to make the changes. It's possible that the difference was something I did differently in the two tests, perhaps a different order of application, but I don't think so.

Anyway, it still works. Giving this an OK, and validating.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 20 Len Lawrence 2021-07-10 17:47:20 CEST
Oops - mid-air collision.
mga7, x86_64

Installed the updates before thinking about a poc.
CVE-2020-12825
Installed csslint.
https://gitlab.gnome.org/Archive/libcroco/-/issues/8
Ignored the ASAN compilation step.
$ csslint poc > poc.output
The output is a stream of data ending in:
((((((n|-b*,seltTx�<shadow:ntr���gn-g(re

which mimics the input more or less and does not crash.

Launched gnome-shell under strace from a Mate session.
$ strace -o gnome.trace gnome-shell --replace
Tried a few desktop operations and exited with Ctrl-C.
$ grep croco gnome.trace
..........
openat(AT_FDCWD, "/lib64/libcroco-0.6.so.3", O_RDONLY|O_CLOEXEC) = 3
read(18, "lib64/libcroco-0.6.so.3.0.1\n7f13"..., 1024) = 1024

Giving this a tentative OK.

CC: (none) => tarazed25

Comment 21 Aurelien Oudelet 2021-07-10 20:26:10 CEST
Advisory:
========================

Updated libcroco and gettext packages fix security vulnerability:

libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core
in cr-parser.c, leading to stack consumption (CVE-2020-12825).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=27108
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12825
 - https://access.redhat.com/errata/RHSA-2020:4072
 - https://gitlab.gnome.org/Archive/libcroco/-/issues/8
========================

Updated packages in core/updates_testing:
========================
libcroco0.6_3-0.6.13-1.2.mga7
libcroco-devel-0.6.13-1.2.mga7
libcroco-utils-0.6.13-1.2.mga7
gettext-0.19.8.1-4.1.mga7
libintl8-0.19.8.1-4.1.mga7
libgettextmisc-0.19.8.1-4.1.mga7
gettext-devel-0.19.8.1-4.1.mga7
gettext-base-0.19.8.1-4.1.mga7

from SRPMS:
libcroco-0.6.13-1.2.mga7.src.rpm
gettext-0.19.8.1-4.1.mga7.src.rpm
Aurelien Oudelet 2021-07-10 20:26:38 CEST

Keywords: (none) => advisory
CVE: (none) => CVE-2020-12825
Source RPM: libcroco-0.6.13-3.mga8.src.rpm => libcroco-0.6.13-1.1.mga7.src.rpm
CC: (none) => ouaurelien

Comment 22 Mageia Robot 2021-07-10 22:01:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0333.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.