cbcvebase.
CVE-2017-7961
published 2017-04-19

CVE-2017-7961: The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an "outside the range of representable values of type long" undefined behavior…

PriorityP431high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
1.97%
77.9th percentile
The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an "outside the range of representable values of type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CSS file. NOTE: third-party analysis reports "This is not a security issue in my view. The conversion surely is truncating the double into a long value, but there is no impact as the value is one of the RGB components.

Affected

7 ranges
VendorProductVersion rangeFixed in
gnomelibcroco
gnomelibcroco
gnomelibcroco>= 0 < 0.6.13-r10.6.13-r1
gnomelibcroco>= 0 < 0.6.13-r10.6.13-r1
gnomelibcroco>= 0 < 0.6.12-r10.6.12-r1
gnomelibcroco>= 0 < 0.6.12-r20.6.12-r2
gnomelibcroco>= 0 < 0.6.12-r20.6.12-r2

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.