Bug 1835377 (CVE-2020-12825)

Summary: CVE-2020-12825 libcroco: Stack overflow in function cr_parser_parse_any_core in cr-parser.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aubaker, caillon+fedoraproject, cwarfiel, dchong, dodji, ekirby, eng-i18n-bugs, fmuellner, gnome-sig, jastephe, jhorak, john.j5live, lcaparel, mcatanza, mclasen, mmezynsk, nmadhesh, otaylor, petersen, rhughes, rstrode, rsunog, sandmann, sbalasub, simore, stransky, suanand, tcrider, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A stack overflow flaw was found in libcroco. A service using libcroco's CSS parser could be crashed by a local, authenticated attacker, or an attacker utilizing social engineering, using a crafted input. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-30 03:57:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1835378, 1835379, 1835950, 1835951, 1862569, 1862570, 1866484, 1866540, 1866541, 1910594    
Bug Blocks: 1835380    

Description Pedro Sampaio 2020-05-13 17:32:06 UTC 
libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.

Upstream issue:

https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
Comment 1 Pedro Sampaio 2020-05-13 17:32:38 UTC 
Created libcroco tracking bugs for this issue:

Affects: fedora-all [bug 1835378]


Created mingw-libcroco tracking bugs for this issue:

Affects: fedora-all [bug 1835379]
Comment 2 Todd Cullum 2020-05-14 00:35:29 UTC 
libcroco has a CSS2 parser which uses the function cr_parser_parse_any_core() in cr-parser.c to parse CSS "any" grammar. The function calls itself recursively when the tokenizer provides it with a token which is one of type: PO_TK (Opening parenthesis), BO_TK (Opening bracket), or FUNCTION_TK. It does not limit the recursion and thus is susceptible to a stack overflow when crafted input is provided to the CSS parser.
Comment 28 Todd Cullum 2020-08-05 21:47:11 UTC 
Mitigation:

To mitigate this flaw as it applies to gnome-shell, do not install untrusted gnome-shell extensions or themes. Red Hat Enterprise Linux does not ship with gnome-shell themes that will trigger this vulnerability. To mitigate this flaw as it applies to inkscape, do not open untrusted CSS in inkscape.
Comment 37 Todd Cullum 2020-08-08 00:20:16 UTC 
Statement:

While Red Hat Enterprise Linux 6, 7 and 8 ship versions of `libcroco` that are vulnerable to this flaw, the packages which use this library as a dependency would require a user to open a malicious file locally for exploitation. Opening such a file may result in a temporary crash of the application.  See below for more detailed information:

* Red Hat Enterprise Linux 8 - `libcroco` is a runtime dependency of `gnome-shell`, `gettext` and `inkscape`.
* Red Hat Enterprise Linux 7 - `libcroco` is a runtime dependency of  `gnome-shell`, `gettext`, `librsvg2` and `inkscape`.
* Red Hat Enterprise Linux 6 - `libcroco` is required by `firefox` to bundle `gtk3` but `firefox` does not use `libcroco` as its CSS parsing engine or provide gtk3 to other packages, and thus not affected. `libcroco` is a runtime dependency of `inkscape`, `librsvg2` and `gettext`.

This flaw has only been demonstrated to cause a crash, but if there is any concern of further exploitation beyond that, Red Hat Enterprise Linux 6, 7, and 8 packages are built with a stack protector and stack ASLR which would significantly reduce the likelihood of further exploitation.
Comment 41 errata-xmlrpc 2020-09-08 09:39:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3654 https://access.redhat.com/errata/RHSA-2020:3654
Comment 43 errata-xmlrpc 2020-09-29 20:56:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4072 https://access.redhat.com/errata/RHSA-2020:4072
Comment 44 Product Security DevOps Team 2020-09-30 03:57:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12825