CVE-2018-6126
published 2019-01-09CVE-2018-6126: A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
PriorityP259high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.67%
93.8th percentile
A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | firefox | < firefox 60.0.2-1 (sid) | firefox 60.0.2-1 (sid) |
| debian | firefox-esr | < firefox 60.0.2-1 (sid) | firefox 60.0.2-1 (sid) |
| chrome | < 67.0.3396.62 | 67.0.3396.62 | |
| chrome | >= unspecified < 67.0.3396.62 | 67.0.3396.62 | |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit path involves SkScan::FillPath → walk_convex_edges → SkARGB32_Shader_Blitter::blitH writing out-of-bounds. Crash signatures in ASan/UBSan logs will reference SkScan_Path.cpp and SkEdge.cpp in the Skia library stack trace. ↗
- →UBSan runtime error signature to look for in crash telemetry: 'left shift of negative value -1' originating from SkPixmap.h, indicating the out-of-bounds X coordinate (-1) reached the pixel write path. ↗
- →ASan heap-buffer-overflow crash signature: WRITE of size 4 immediately past a 400-byte heap region, triggered from Sk4fLinearGradient.cpp shadeSpan path — useful for correlating crash dumps. ↗
- →The vulnerability is exploitable via a crafted SVG with cubic bezier paths (cubicTo) using near-zero negative coordinates (e.g., -31/64) combined with a linear gradient shader. Detection of such SVG patterns in web content may indicate exploitation attempts. ↗
- ·The heap overflow only triggers when anti-aliasing is turned OFF in Skia. Deployments or configurations that force anti-aliasing on are not affected by this specific code path. ↗
- ·Both Chrome and Firefox are affected via their shared use of the Skia library. Firefox ESR 52 and ESR 60 are also listed as vulnerable; the fix for Firefox landed in 60.0.2. ↗
- ·Red Hat Enterprise Linux 8 Firefox package is listed as Not Affected; patching priority should focus on RHEL 6/7 and Fedora systems running unpatched Firefox or Chromium. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox vulnerability
vendor_ubuntu·2018-06-12
CVE-2018-6126 Firefox vulnerability
Title: Firefox vulnerability
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
A heap buffer overflow was discovered in Skia. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service, or execute arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Red Hat
Skia: Heap buffer overflow rasterizing paths in SVG
vendor_redhat·2018-05-29·CVSS 8.8
CVE-2018-6126 [HIGH] Skia: Heap buffer overflow rasterizing paths in SVG
Skia: Heap buffer overflow rasterizing paths in SVG
A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Package: firefox (Red Hat Enterprise Linux 8) - Not affected
Debian
CVE-2018-6126: firefox - A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remot...
vendor_debian·2018·CVSS 8.8
CVE-2018-6126 [HIGH] CVE-2018-6126: firefox - A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remot...
A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Scope: local
sid: resolved (fixed in 60.0.2-1)
GHSA
GHSA-jhg2-2xh7-hgw9: A precision error in Skia in Google Chrome prior to 67
ghsa_unreviewed·2022-05-14
CVE-2018-6126 [HIGH] CWE-787 GHSA-jhg2-2xh7-hgw9: A precision error in Skia in Google Chrome prior to 67
A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
OSV
CVE-2018-6126: A precision error in Skia in Google Chrome prior to 67
osv·2019-01-09·CVSS 8.8
CVE-2018-6126 [HIGH] CVE-2018-6126: A precision error in Skia in Google Chrome prior to 67
A precision error in Skia in Google Chrome prior to 67.0.3396.62 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
No detection rules found.
Bugzilla
CVE-2018-6126 firefox: chromium-browser: Heap buffer overflow in Skia [fedora-all]
bugzilla·2018-06-14·CVSS 8.8
CVE-2018-6126 [HIGH] CVE-2018-6126 firefox: chromium-browser: Heap buffer overflow in Skia [fedora-all]
CVE-2018-6126 firefox: chromium-browser: Heap buffer overflow in Skia [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported ver
Bugzilla
CVE-2018-6126 Skia: Heap buffer overflow rasterizing paths in SVG
bugzilla·2018-05-30·CVSS 8.8
CVE-2018-6126 [HIGH] CVE-2018-6126 Skia: Heap buffer overflow rasterizing paths in SVG
CVE-2018-6126 Skia: Heap buffer overflow rasterizing paths in SVG
A heap buffer overflow flaw was found in the Skia component of the Chromium browser.
Upstream bug(s):
https://code.google.com/p/chromium/issues/detail?id=844457
External References:
https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html
Discussion:
Created chromium tracking bugs for this issue:
Affects: epel-7 [bug 1584060]
Affects: fedora-all [bug 1584059]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Supplementary
Via RHSA-2018:1815 https://access.redhat.com/errata/RHSA-2018:1815
---
Mozilla Firefox ESR 52 and ESR 60 are also vulnerable.
Upstream Advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/
---
Created
Bugzilla
CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-
bugzilla·2018-05-30·CVSS 6.5
CVE-2018-6123 [MEDIUM] CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-
CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-2018-6138 ... chromium: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-l
Bugzilla
CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-
bugzilla·2018-05-30·CVSS 6.5
CVE-2018-6123 [MEDIUM] CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-
CVE-2018-6123 CVE-2018-6124 CVE-2018-6125 CVE-2018-6126 CVE-2018-6127 CVE-2018-6129 CVE-2018-6130 CVE-2018-6131 CVE-2018-6132 CVE-2018-6133 CVE-2018-6134 CVE-2018-6135 CVE-2018-6136 CVE-2018-6137 CVE-2018-6138 ... chromium: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the releva
Bugzilla
Firefox/Skia: Heap overflow in SkScan::FillPath due to precision error
bugzilla·2018-05-18
[MEDIUM] Firefox/Skia: Heap overflow in SkScan::FillPath due to precision error
Firefox/Skia: Heap overflow in SkScan::FillPath due to precision error
Created attachment 8977044
test_ff.html
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Steps to reproduce:
***Please note: This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.***
With any fix, please give credit for identifying the vulnerability to Ivan Fratric of Google Project Zero.
There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in Firefox by rendering a specially crafted SVG image. A test sample is attached. It crashes the current Firefox Asan
http://www.securityfocus.com/bid/104309http://www.securityfocus.com/bid/104411http://www.securitytracker.com/id/1041014http://www.securitytracker.com/id/1041046https://access.redhat.com/errata/RHSA-2018:1815https://access.redhat.com/errata/RHSA-2018:2112https://access.redhat.com/errata/RHSA-2018:2113https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.htmlhttps://crbug.com/844457https://security.gentoo.org/glsa/201810-01https://www.debian.org/security/2018/dsa-4220https://www.debian.org/security/2018/dsa-4237https://www.exploit-db.com/exploits/45098/http://www.securityfocus.com/bid/104309http://www.securityfocus.com/bid/104411http://www.securitytracker.com/id/1041014http://www.securitytracker.com/id/1041046https://access.redhat.com/errata/RHSA-2018:1815https://access.redhat.com/errata/RHSA-2018:2112https://access.redhat.com/errata/RHSA-2018:2113https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.htmlhttps://crbug.com/844457https://security.gentoo.org/glsa/201810-01https://www.debian.org/security/2018/dsa-4220https://www.debian.org/security/2018/dsa-4237https://www.exploit-db.com/exploits/45098/
2019-01-09
Published