CVE-2017-8834
published 2017-06-12CVE-2017-8834: The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a…
PriorityP335medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EXPLOIT
EPSS
3.84%
88.8th percentile
The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a crafted CSS file.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gnome | libcroco | — | — |
| gnome | libcroco | >= 0 < 0.6.13-r1 | 0.6.13-r1 |
| gnome | libcroco | >= 0 < 0.6.13-r1 | 0.6.13-r1 |
| gnome | libcroco | >= 0 < 0.6.12-r1 | 0.6.12-r1 |
| gnome | libcroco | >= 0 < 0.6.12-r2 | 0.6.12-r2 |
| gnome | libcroco | >= 0 < 0.6.12-r2 | 0.6.12-r2 |
| gnome | libcroco | >= 0 < 0.6.13-1ubuntu0.1 | 0.6.13-1ubuntu0.1 |
| gnome | libcroco | >= 0 < 0.6.8-2ubuntu1+esm1 | 0.6.8-2ubuntu1+esm1 |
| gnome | libcroco | >= 0 < 0.6.11-1ubuntu0.1~esm1 | 0.6.11-1ubuntu0.1~esm1 |
| gnome | libcroco | >= 0 < 0.6.12-2ubuntu0.1~esm1 | 0.6.12-2ubuntu0.1~esm1 |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Libcroco vulnerabilities
vendor_ubuntu·2024-08-13·CVSS 5.5
CVE-2017-8834 [MEDIUM] Libcroco vulnerabilities
Title: Libcroco vulnerabilities
Summary: Several security issues were fixed in Libcroco.
It was discovered that Libcroco was incorrectly accessing data structures
when reading bytes from memory, which could cause a heap buffer overflow.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8
values when processing CSS files. An attacker could possibly use this
issue to cause a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in
one of its parsing functions, which could cause an infinite recursion
loop and a stack overflow due to stack consumption. An attacker could
possib
Ubuntu
Libcroco vulnerabilities
vendor_ubuntu·2022-04-26·CVSS 5.5
CVE-2020-12825 [MEDIUM] Libcroco vulnerabilities
Title: Libcroco vulnerabilities
Summary: Several security issues were fixed in Libcroco.
It was discovered that Libcroco was incorrectly accessing data structures when
reading bytes from memory, which could cause a heap buffer overflow. An attacker
could possibly use this issue to cause a denial of service. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8 values
when processing CSS files. An attacker could possibly use this issue to cause
a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in one
of its parsing functions, which could cause an infinite recursion loop and a
stack overflow due to stack consumption. An attacker could possibly use this
issue to cause a denial of serv
Red Hat
libcroco: Memory allocation failure in the cr_tknzr_parse_comment function
vendor_redhat·2017-06-07·CVSS 6.5
CVE-2017-8834 [MEDIUM] libcroco: Memory allocation failure in the cr_tknzr_parse_comment function
libcroco: Memory allocation failure in the cr_tknzr_parse_comment function
The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a crafted CSS file.
Package: libcroco (Red Hat Enterprise Linux 5) - Will not fix
Package: libcroco (Red Hat Enterprise Linux 6) - Will not fix
Package: libcroco (Red Hat Enterprise Linux 7) - Will not fix
Package: libcroco (Red Hat Enterprise Linux 9) - Affected
OSV
libcroco vulnerabilities
osv·2024-08-13·CVSS 5.5
CVE-2017-7960 [MEDIUM] libcroco vulnerabilities
libcroco vulnerabilities
It was discovered that Libcroco was incorrectly accessing data structures
when reading bytes from memory, which could cause a heap buffer overflow.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 LTS. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8
values when processing CSS files. An attacker could possibly use this
issue to cause a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in
one of its parsing functions, which could cause an infinite recursion
loop and a stack overflow due to stack consumption. An attacker could
possibly use this issue to cause a denial of service. (CVE-2020-12825)
GHSA
GHSA-8758-v3mx-r8pc: The cr_tknzr_parse_comment function in cr-tknzr
ghsa_unreviewed·2022-05-13
CVE-2017-8834 [MEDIUM] CWE-119 GHSA-8758-v3mx-r8pc: The cr_tknzr_parse_comment function in cr-tknzr
The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a crafted CSS file.
OSV
libcroco vulnerabilities
osv·2022-04-26·CVSS 5.5
CVE-2017-7960 [MEDIUM] libcroco vulnerabilities
libcroco vulnerabilities
It was discovered that Libcroco was incorrectly accessing data structures when
reading bytes from memory, which could cause a heap buffer overflow. An attacker
could possibly use this issue to cause a denial of service. (CVE-2017-7960)
It was discovered that Libcroco was incorrectly handling invalid UTF-8 values
when processing CSS files. An attacker could possibly use this issue to cause
a denial of service. (CVE-2017-8834, CVE-2017-8871)
It was discovered that Libcroco was incorrectly implementing recursion in one
of its parsing functions, which could cause an infinite recursion loop and a
stack overflow due to stack consumption. An attacker could possibly use this
issue to cause a denial of service. (CVE-2020-12825)
OSV
CVE-2017-8834: The cr_tknzr_parse_comment function in cr-tknzr
osv·2017-06-12·CVSS 6.5
CVE-2017-8834 [MEDIUM] CVE-2017-8834: The cr_tknzr_parse_comment function in cr-tknzr
The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a crafted CSS file.
No detection rules found.
Bugzilla
CVE-2017-8834 libcroco: Memory allocation failure in the cr_tknzr_parse_comment function
bugzilla·2017-06-20·CVSS 6.5
CVE-2017-8834 [MEDIUM] CVE-2017-8834 libcroco: Memory allocation failure in the cr_tknzr_parse_comment function
CVE-2017-8834 libcroco: Memory allocation failure in the cr_tknzr_parse_comment function
The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco allows attackers to cause a denial of service (memory allocation error) via a crafted CSS file.
Upstream issue:
https://bugzilla.gnome.org/show_bug.cgi?id=782647
Discussion:
Created libcroco tracking bugs for this issue:
Affects: fedora-all [bug 1463308]
Created mingw-libcroco tracking bugs for this issue:
Affects: fedora-all [bug 1463309]
Bugzilla
CVE-2017-8834 CVE-2017-8871 mingw-libcroco: various flaws [fedora-all]
bugzilla·2017-06-20·CVSS 6.5
CVE-2017-8834 [MEDIUM] CVE-2017-8834 CVE-2017-8871 mingw-libcroco: various flaws [fedora-all]
CVE-2017-8834 CVE-2017-8871 mingw-libcroco: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fed
Bugzilla
CVE-2017-8834 CVE-2017-8871 libcroco: various flaws [fedora-all]
bugzilla·2017-06-20·CVSS 6.5
CVE-2017-8834 [MEDIUM] CVE-2017-8834 CVE-2017-8871 libcroco: various flaws [fedora-all]
CVE-2017-8834 CVE-2017-8871 libcroco: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. W
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00043.htmlhttp://www.openwall.com/lists/oss-security/2020/08/13/3https://bugzilla.gnome.org/show_bug.cgi?id=782647https://www.exploit-db.com/exploits/42147/http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00043.htmlhttp://www.openwall.com/lists/oss-security/2020/08/13/3https://bugzilla.gnome.org/show_bug.cgi?id=782647https://www.exploit-db.com/exploits/42147/
2017-06-12
Published