Bug 1835377 (CVE-2020-12825) - CVE-2020-12825 libcroco: Stack overflow in function cr_parser_parse_any_core in cr-parser.c
Summary: CVE-2020-12825 libcroco: Stack overflow in function cr_parser_parse_any_core ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12825
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1835378 1835379 1835950 1835951 1862569 1862570 1866484 1866540 1866541 1910594
Blocks: 1835380
TreeView+ depends on / blocked
 
Reported: 2020-05-13 17:32 UTC by Pedro Sampaio
Modified: 2021-02-16 20:03 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A stack overflow flaw was found in libcroco. A service using libcroco's CSS parser could be crashed by a local, authenticated attacker, or an attacker utilizing social engineering, using a crafted input. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-09-30 03:57:10 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Gitlab GNOME/libcroco - issues 8 0 None None None 2020-07-31 20:31:43 UTC
GNOME Gitlab GNOME/libcroco - merge_requests 5/ 0 None None None 2020-07-31 20:31:31 UTC
Red Hat Product Errata RHSA-2020:3654 0 None None None 2020-09-08 09:39:38 UTC
Red Hat Product Errata RHSA-2020:4072 0 None None None 2020-09-29 20:56:09 UTC

Description Pedro Sampaio 2020-05-13 17:32:06 UTC
libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption.

Upstream issue:

https://gitlab.gnome.org/GNOME/libcroco/-/issues/8

Comment 1 Pedro Sampaio 2020-05-13 17:32:38 UTC
Created libcroco tracking bugs for this issue:

Affects: fedora-all [bug 1835378]


Created mingw-libcroco tracking bugs for this issue:

Affects: fedora-all [bug 1835379]

Comment 2 Todd Cullum 2020-05-14 00:35:29 UTC
libcroco has a CSS2 parser which uses the function cr_parser_parse_any_core() in cr-parser.c to parse CSS "any" grammar. The function calls itself recursively when the tokenizer provides it with a token which is one of type: PO_TK (Opening parenthesis), BO_TK (Opening bracket), or FUNCTION_TK. It does not limit the recursion and thus is susceptible to a stack overflow when crafted input is provided to the CSS parser.

Comment 28 Todd Cullum 2020-08-05 21:47:11 UTC
Mitigation:

To mitigate this flaw as it applies to gnome-shell, do not install untrusted gnome-shell extensions or themes. Red Hat Enterprise Linux does not ship with gnome-shell themes that will trigger this vulnerability. To mitigate this flaw as it applies to inkscape, do not open untrusted CSS in inkscape.

Comment 37 Todd Cullum 2020-08-08 00:20:16 UTC
Statement:

While Red Hat Enterprise Linux 6, 7 and 8 ship versions of `libcroco` that are vulnerable to this flaw, the packages which use this library as a dependency would require a user to open a malicious file locally for exploitation. Opening such a file may result in a temporary crash of the application.  See below for more detailed information:

* Red Hat Enterprise Linux 8 - `libcroco` is a runtime dependency of `gnome-shell`, `gettext` and `inkscape`.
* Red Hat Enterprise Linux 7 - `libcroco` is a runtime dependency of  `gnome-shell`, `gettext`, `librsvg2` and `inkscape`.
* Red Hat Enterprise Linux 6 - `libcroco` is required by `firefox` to bundle `gtk3` but `firefox` does not use `libcroco` as its CSS parsing engine or provide gtk3 to other packages, and thus not affected. `libcroco` is a runtime dependency of `inkscape`, `librsvg2` and `gettext`.

This flaw has only been demonstrated to cause a crash, but if there is any concern of further exploitation beyond that, Red Hat Enterprise Linux 6, 7, and 8 packages are built with a stack protector and stack ASLR which would significantly reduce the likelihood of further exploitation.

Comment 41 errata-xmlrpc 2020-09-08 09:39:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3654 https://access.redhat.com/errata/RHSA-2020:3654

Comment 43 errata-xmlrpc 2020-09-29 20:56:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4072 https://access.redhat.com/errata/RHSA-2020:4072

Comment 44 Product Security DevOps Team 2020-09-30 03:57:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12825


Note You need to log in before you can comment on or make changes to this bug.