See here: https://www.openwall.com/lists/oss-security/2020/08/13/3 https://gitlab.gnome.org/Archive/libcroco/-/issues/8 We should drop libcroco if possible if it is dead upstream, but also fix the CVE for Mageia 7 at least if there's a fix.
Whiteboard: (none) => MGA7TOO
No obvious maintainer for this SRPM, so having to assign this bug globally.
Assignee: bugsquad => pkg-bugs
This is GNOME stuff, so should be address by Olav at least for Cauldron.
CC: (none) => olav
RedHat has issued an advisory for the CVE today (September 8): https://access.redhat.com/errata/RHSA-2020:3654
RedHat has issued an advisory for this on September 29: https://access.redhat.com/errata/RHSA-2020:4072
libcroco is required by gettext. Apparently gettext bundles it. Fedora uses the bundled one. Aside from gettext it seems it's not used. So IMO: use bundled libcroco for gettext, then obsolete the thing.
Thanks Olav. CC'ing Jani, who has done recent work on the gettext package. We should apply whatever fixes exist for libcroco to the bundled copy.
CC: (none) => jani.valimaa
Backported patches mentioned in bug-gettext ml to cauldron's gettext-0.21-3.mga8: https://lists.gnu.org/archive/html/bug-gettext/2020-08/msg00026.html
Thanks. Last needed fix for Cauldron is gettext should obsolete libcroco.
Do we need to fix inkscape? https://gitlab.com/inkscape/inkscape/-/merge_requests/2202
Looks like it :o(
And cinnamon. https://github.com/linuxmint/cinnamon/pull/9501
And gnome-shell. https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/7b64eb285dd937b34df71c95188301be50dd1409
(In reply to Jani Välimaa from comment #12) > And gnome-shell. > > https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/ > 7b64eb285dd937b34df71c95188301be50dd1409 It's already fixed in 3.37.91: * Fix potential stack overflow in libcroco [Michael; !1404] We need to add bundled(libcroco) provides to gnome-shell.
(In reply to David Walser from comment #8) > Thanks. Last needed fix for Cauldron is gettext should obsolete libcroco. Please don't forget this.
Just collecting package lists from today for the eventual update: libcroco0.6_3-0.6.13-1.2.mga7 libcroco-devel-0.6.13-1.2.mga7 libcroco-utils-0.6.13-1.2.mga7 gettext-0.19.8.1-4.1.mga7 libintl8-0.19.8.1-4.1.mga7 libgettextmisc-0.19.8.1-4.1.mga7 gettext-devel-0.19.8.1-4.1.mga7 gettext-base-0.19.8.1-4.1.mga7 from SRPMS: libcroco-0.6.13-1.2.mga7.src.rpm gettext-0.19.8.1-4.1.mga7.src.rpm
(In reply to Jani Välimaa from comment #9) > Do we need to fix inkscape? > > https://gitlab.com/inkscape/inkscape/-/merge_requests/2202 Fixed upstream in 1.0.1, which is in Cauldron. Needs backported to Mageia 7. (In reply to Jani Välimaa from comment #11) > And cinnamon. > > https://github.com/linuxmint/cinnamon/pull/9501 Fixed upstream in 4.8.3, which is in Cauldron. Needs backported to Mageia 7. Mageia 7's gnome-shell uses the system libcroco. libcroco still needs to be removed from Cauldron.
Removed from cauldron.
Whiteboard: MGA7TOO => (none)CC: (none) => mageiaVersion: Cauldron => 7
Status comment: (none) => inkscape and cinnamon need to be patched
It doesn't look like cinnamon in Mageia 7 has the bundled code, and inkscape's RPM requires lists "libcroco_LIB.so()(64bit)" so I'm not sure I needed to patch it, but I did. I'm gonna assume for now that was unnecessary and not include it. Package list therefore in Comment 15.
Assignee: pkg-bugs => qa-bugsStatus comment: inkscape and cinnamon need to be patched => (none)
Tested with an HP Probook 6550b, 64-bit Plasma system. Gettext and dependencies already installed, but after reading the comments, I installed Inkscape to use for the test. Before the update, I ran Inkscape, and simply because one of the packages was "gettext," I added a text message to the blank drawing, and manipulated it. Size change was fine, but when I went to change the font I did not see all of the fonts available as choices. Used qarepo for the update, with no installation issues. Ran Inkscape again, and this time I saw several more fonts available when I went to make the changes. It's possible that the difference was something I did differently in the two tests, perhaps a different order of application, but I don't think so. Anyway, it still works. Giving this an OK, and validating.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Oops - mid-air collision. mga7, x86_64 Installed the updates before thinking about a poc. CVE-2020-12825 Installed csslint. https://gitlab.gnome.org/Archive/libcroco/-/issues/8 Ignored the ASAN compilation step. $ csslint poc > poc.output The output is a stream of data ending in: ((((((n|-b*,seltTx�<shadow:ntr���gn-g(re which mimics the input more or less and does not crash. Launched gnome-shell under strace from a Mate session. $ strace -o gnome.trace gnome-shell --replace Tried a few desktop operations and exited with Ctrl-C. $ grep croco gnome.trace .......... openat(AT_FDCWD, "/lib64/libcroco-0.6.so.3", O_RDONLY|O_CLOEXEC) = 3 read(18, "lib64/libcroco-0.6.so.3.0.1\n7f13"..., 1024) = 1024 Giving this a tentative OK.
CC: (none) => tarazed25
Advisory: ======================== Updated libcroco and gettext packages fix security vulnerability: libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption (CVE-2020-12825). References: - https://bugs.mageia.org/show_bug.cgi?id=27108 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12825 - https://access.redhat.com/errata/RHSA-2020:4072 - https://gitlab.gnome.org/Archive/libcroco/-/issues/8 ======================== Updated packages in core/updates_testing: ======================== libcroco0.6_3-0.6.13-1.2.mga7 libcroco-devel-0.6.13-1.2.mga7 libcroco-utils-0.6.13-1.2.mga7 gettext-0.19.8.1-4.1.mga7 libintl8-0.19.8.1-4.1.mga7 libgettextmisc-0.19.8.1-4.1.mga7 gettext-devel-0.19.8.1-4.1.mga7 gettext-base-0.19.8.1-4.1.mga7 from SRPMS: libcroco-0.6.13-1.2.mga7.src.rpm gettext-0.19.8.1-4.1.mga7.src.rpm
Keywords: (none) => advisoryCVE: (none) => CVE-2020-12825Source RPM: libcroco-0.6.13-3.mga8.src.rpm => libcroco-0.6.13-1.1.mga7.src.rpmCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0333.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED