libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption. Upstream issue: https://gitlab.gnome.org/GNOME/libcroco/-/issues/8
Created libcroco tracking bugs for this issue: Affects: fedora-all [bug 1835378] Created mingw-libcroco tracking bugs for this issue: Affects: fedora-all [bug 1835379]
libcroco has a CSS2 parser which uses the function cr_parser_parse_any_core() in cr-parser.c to parse CSS "any" grammar. The function calls itself recursively when the tokenizer provides it with a token which is one of type: PO_TK (Opening parenthesis), BO_TK (Opening bracket), or FUNCTION_TK. It does not limit the recursion and thus is susceptible to a stack overflow when crafted input is provided to the CSS parser.
Mitigation: To mitigate this flaw as it applies to gnome-shell, do not install untrusted gnome-shell extensions or themes. Red Hat Enterprise Linux does not ship with gnome-shell themes that will trigger this vulnerability. To mitigate this flaw as it applies to inkscape, do not open untrusted CSS in inkscape.
Statement: While Red Hat Enterprise Linux 6, 7 and 8 ship versions of `libcroco` that are vulnerable to this flaw, the packages which use this library as a dependency would require a user to open a malicious file locally for exploitation. Opening such a file may result in a temporary crash of the application. See below for more detailed information: * Red Hat Enterprise Linux 8 - `libcroco` is a runtime dependency of `gnome-shell`, `gettext` and `inkscape`. * Red Hat Enterprise Linux 7 - `libcroco` is a runtime dependency of `gnome-shell`, `gettext`, `librsvg2` and `inkscape`. * Red Hat Enterprise Linux 6 - `libcroco` is required by `firefox` to bundle `gtk3` but `firefox` does not use `libcroco` as its CSS parsing engine or provide gtk3 to other packages, and thus not affected. `libcroco` is a runtime dependency of `inkscape`, `librsvg2` and `gettext`. This flaw has only been demonstrated to cause a crash, but if there is any concern of further exploitation beyond that, Red Hat Enterprise Linux 6, 7, and 8 packages are built with a stack protector and stack ASLR which would significantly reduce the likelihood of further exploitation.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3654 https://access.redhat.com/errata/RHSA-2020:3654
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4072 https://access.redhat.com/errata/RHSA-2020:4072
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12825