CVE-2017-7960
published 2017-04-19CVE-2017-7960: The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer…
PriorityP421medium5.5CVSS 3.0
AVLACLPRNUIRSUCNINAH
EPSS
2.00%
78.3th percentile
The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gnome | libcroco | — | — |
| gnome | libcroco | — | — |
| gnome | libcroco | >= 0 < 0.6.13-r1 | 0.6.13-r1 |
| gnome | libcroco | >= 0 < 0.6.13-r1 | 0.6.13-r1 |
| gnome | libcroco | >= 0 < 0.6.12-r1 | 0.6.12-r1 |
| gnome | libcroco | >= 0 < 0.6.12-r2 | 0.6.12-r2 |
| gnome | libcroco | >= 0 < 0.6.12-r2 | 0.6.12-r2 |
| gnome | libcroco | >= 0 < 0.6.13-1ubuntu0.1 | 0.6.13-1ubuntu0.1 |
| gnome | libcroco | >= 0 < 0.6.8-2ubuntu1+esm1 | 0.6.8-2ubuntu1+esm1 |
| gnome | libcroco | >= 0 < 0.6.11-1ubuntu0.1~esm1 | 0.6.11-1ubuntu0.1~esm1 |
| gnome | libcroco | >= 0 < 0.6.12-2ubuntu0.1~esm1 | 0.6.12-2ubuntu0.1~esm1 |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_redhat5.5MEDIUM
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
libcroco vulnerabilities
osv·2024-08-13·CVSS 5.5
CVE-2017-7960 [MEDIUM] libcroco vulnerabilities
libcroco vulnerabilities
It was discovered that Libcroco was incorrectly accessing data structures
when reading bytes from memory, which could cause a heap buffer overflow.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8
values when processing CSS files. An attacker could possibly use this
issue to cause a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in
one of its parsing functions, which could cause an infinite recursion
loop and a stack overflow due to stack consumption. An attacker could
possibly use this issue to cause a denial of service. (CVE-2020-12825)
GHSA
GHSA-wmq5-69f7-qrqx: The cr_input_new_from_uri function in cr-input
ghsa_unreviewed·2022-05-13
CVE-2017-7960 [MEDIUM] CWE-125 GHSA-wmq5-69f7-qrqx: The cr_input_new_from_uri function in cr-input
The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
OSV
libcroco vulnerabilities
osv·2022-04-26·CVSS 5.5
CVE-2017-7960 [MEDIUM] libcroco vulnerabilities
libcroco vulnerabilities
It was discovered that Libcroco was incorrectly accessing data structures when
reading bytes from memory, which could cause a heap buffer overflow. An attacker
could possibly use this issue to cause a denial of service. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8 values
when processing CSS files. An attacker could possibly use this issue to cause
a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in one
of its parsing functions, which could cause an infinite recursion loop and a
stack overflow due to stack consumption. An attacker could possibly use this
issue to cause a denial of service. (CVE-2020-12825)
OSV
CVE-2017-7960: The cr_input_new_from_uri function in cr-input
osv·2017-04-19·CVSS 5.5
CVE-2017-7960 [MEDIUM] CVE-2017-7960: The cr_input_new_from_uri function in cr-input
The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
Ubuntu
Libcroco vulnerabilities
vendor_ubuntu·2024-08-13·CVSS 5.5
CVE-2017-8834 [MEDIUM] Libcroco vulnerabilities
Title: Libcroco vulnerabilities
Summary: Several security issues were fixed in Libcroco.
It was discovered that Libcroco was incorrectly accessing data structures
when reading bytes from memory, which could cause a heap buffer overflow.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8
values when processing CSS files. An attacker could possibly use this
issue to cause a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in
one of its parsing functions, which could cause an infinite recursion
loop and a stack overflow due to stack consumption. An attacker could
possib
Ubuntu
Libcroco vulnerabilities
vendor_ubuntu·2022-04-26·CVSS 5.5
CVE-2020-12825 [MEDIUM] Libcroco vulnerabilities
Title: Libcroco vulnerabilities
Summary: Several security issues were fixed in Libcroco.
It was discovered that Libcroco was incorrectly accessing data structures when
reading bytes from memory, which could cause a heap buffer overflow. An attacker
could possibly use this issue to cause a denial of service. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8 values
when processing CSS files. An attacker could possibly use this issue to cause
a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in one
of its parsing functions, which could cause an infinite recursion loop and a
stack overflow due to stack consumption. An attacker could possibly use this
issue to cause a denial of serv
Red Hat
libcroco: Out-of-bounds read due to missing index check in cr-input.c
vendor_redhat·2017-04-16·CVSS 5.5
CVE-2017-7960 [MEDIUM] CWE-125 libcroco: Out-of-bounds read due to missing index check in cr-input.c
libcroco: Out-of-bounds read due to missing index check in cr-input.c
The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
Package: libcroco (Red Hat Enterprise Linux 5) - Will not fix
Package: libcroco (Red Hat Enterprise Linux 6) - Will not fix
Package: libcroco (Red Hat Enterprise Linux 7) - Will not fix
Package: libcroco (Red Hat Enterprise Linux 9) - Affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7960 mingw-libcroco: libcroco: Out-of-bounds read due to missing index check in cr-input.c [fedora-all]
bugzilla·2017-04-25·CVSS 5.5
CVE-2017-7960 [MEDIUM] CVE-2017-7960 mingw-libcroco: libcroco: Out-of-bounds read due to missing index check in cr-input.c [fedora-all]
CVE-2017-7960 mingw-libcroco: libcroco: Out-of-bounds read due to missing index check in cr-input.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2017-7960 libcroco: Out-of-bounds read due to missing index check in cr-input.c
bugzilla·2017-04-25·CVSS 5.5
CVE-2017-7960 [MEDIUM] CVE-2017-7960 libcroco: Out-of-bounds read due to missing index check in cr-input.c
CVE-2017-7960 libcroco: Out-of-bounds read due to missing index check in cr-input.c
The cr_input_new_from_uri function in cr-input.c in libcroco allows attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file.
Upstream patch:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
References:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/
Discussion:
Created libcroco tracking bugs for this issue:
Affects: fedora-all [bug 1445316]
Created mingw-libcroco tracking bugs for this issue:
Affects: fedora-all [bug 1445315]
Bugzilla
CVE-2017-7960 libcroco: Out-of-bounds read due to missing index check in cr-input.c [fedora-all]
bugzilla·2017-04-25·CVSS 5.5
CVE-2017-7960 [MEDIUM] CVE-2017-7960 libcroco: Out-of-bounds read due to missing index check in cr-input.c [fedora-all]
CVE-2017-7960 libcroco: Out-of-bounds read due to missing index check in cr-input.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00043.htmlhttps://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394https://security.gentoo.org/glsa/201707-13http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00043.htmlhttps://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394https://security.gentoo.org/glsa/201707-13
2017-04-19
Published