Bugzilla – Bug 1171685
VUL-0: CVE-2020-12825: libcroco: Stack overflow in function cr_parser_parse_any_core in cr-parser.c
Last modified: 2024-05-07 11:30:50 UTC
CVE-2020-12825 libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption. Upstream issue: https://gitlab.gnome.org/GNOME/libcroco/-/issues/8 References: https://bugzilla.redhat.com/show_bug.cgi?id=1835377 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12825
tracked as affected all codestreams. That are: SLE10-SP3 SLE11 SLE12 SLE12-SP2 SLE15 Factory The issue is only reproducible with ASAN. To reproduce: checkout the coresponding codestream tar xf $tarball cd in the libcroco directory CFLAGS="-O2 -fsanitize=address" ./configure make export LD_LIBRARY_PATH="./src/.libs" ./csslint/.libs/csslint-0.6 path to POC OUTPUT similar to: ==13359==ERROR: AddressSanitizer: stack-overflow on address 0x7fff14586ff8 (pc 0x7f457465bdc4 bp 0x7fff145870a0 sp 0x7fff14587000 T0) #0 0x7f457465bdc3 (/usr/lib64/libasan.so.4+0xeadc3) #1 0x7f457459b440 (/usr/lib64/libasan.so.4+0x2a440) #2 0x7f457464d4db in malloc (/usr/lib64/libasan.so.4+0xdc4db) #3 0x7f4573ffb88f in g_try_malloc (/usr/lib64/libglib-2.0.so.0+0x5388f) #4 0x7f45742f203a in cr_token_new (src/.libs/libcroco-0.6.so.3+0x3303a) #5 0x7f45742f6aa6 in cr_tknzr_get_next_token (src/.libs/libcroco-0.6.so.3+0x37aa6) #6 0x7f4574304432 in cr_parser_parse_any_core (src/.libs/libcroco-0.6.so.3+0x45432) #7 0x7f45743048c9 in cr_parser_parse_any_core (src/.libs/libcroco-0.6.so.3+0x458c9) #8 0x7f45743048c9 in cr_parser_parse_any_core (src/.libs/libcroco-0.6.so.3+0x458c9) #9 0x7f45743048c9 in cr_parser_parse_any_core (src/.libs/libcroco-0.6.so.3+0x458c9)
Created attachment 837796 [details] poc
I've added the patch for factory, but the relevant sources are now part of gnome-shell, and the original package is no longer maintained, so it should probably go away in the future. Rawhide already has it deleted.
# maintenance_jira_update_notice openSUSE-SU-2021:3123-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1171685 CVE References: CVE-2020-12825 JIRA References: Sources used: openSUSE Leap 15.3 (src): libcroco-0.6.13-3.3.1
# maintenance_jira_update_notice SUSE-SU-2021:3123-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1171685 CVE References: CVE-2020-12825 JIRA References: Sources used: SUSE MicroOS 5.0 (src): libcroco-0.6.13-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libcroco-0.6.13-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): libcroco-0.6.13-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice SUSE-SU-2021:14800-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1171685 CVE References: CVE-2020-12825 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): libcroco-0.6.1-122.9.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): libcroco-0.6.1-122.9.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libcroco-0.6.1-122.9.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): libcroco-0.6.1-122.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
# maintenance_jira_update_notice openSUSE-SU-2021:1294-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1171685 CVE References: CVE-2020-12825 JIRA References: Sources used: openSUSE Leap 15.2 (src): libcroco-0.6.13-lp152.2.3.1
SUSE-SU-2022:2909-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1171685 CVE References: CVE-2020-12825 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): libcroco-0.6.11-12.6.45 SUSE OpenStack Cloud 9 (src): libcroco-0.6.11-12.6.45 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): libcroco-0.6.11-12.6.45 SUSE Linux Enterprise Server for SAP 12-SP4 (src): libcroco-0.6.11-12.6.45 SUSE Linux Enterprise Server 12-SP5 (src): libcroco-0.6.11-12.6.45 SUSE Linux Enterprise Server 12-SP4-LTSS (src): libcroco-0.6.11-12.6.45 SUSE Linux Enterprise Server 12-SP3-BCL (src): libcroco-0.6.11-12.6.45 SUSE Linux Enterprise Server 12-SP2-BCL (src): libcroco-0.6.11-12.6.45 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:3493-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1171685 CVE References: CVE-2020-12825 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise Server for SAP 15 (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise Server 15-SP1-LTSS (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise Server 15-SP1-BCL (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise Server 15-LTSS (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): libcroco-0.6.12-150000.4.6.2 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): libcroco-0.6.12-150000.4.6.2 SUSE Enterprise Storage 6 (src): libcroco-0.6.12-150000.4.6.2 SUSE CaaS Platform 4.0 (src): libcroco-0.6.12-150000.4.6.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.