Sicherheit: Mehrere Probleme in Libcroco

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============3977642541018405753==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------hwMM039JbRPn5Yl1Cwrcw0b4"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------hwMM039JbRPn5Yl1Cwrcw0b4
Content-Type: multipart/mixed;
boundary="------------CBvngUIrp4qmIgx80MEWqUKN";
protected-headers="v1"
From: Camila Camargo de Matos <camila.camargodematos@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <284191b4-c5fe-dbdc-92e5-20284a8ea8dc@canonical.com>
Subject: [USN-5389-1] Libcroco vulnerabilities

--------------CBvngUIrp4qmIgx80MEWqUKN
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-5389-1
April 26, 2022

libcroco vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in Libcroco.

Software Description:
- libcroco: Cascading Style Sheet (CSS) parsing and manipulation toolkit

Details:

It was discovered that Libcroco was incorrectly accessing data
structures when
reading bytes from memory, which could cause a heap buffer overflow. An
attacker
could possibly use this issue to cause a denial of service. (CVE-2017-7960)

It was discovered that Libcroco was incorrectly handling invalid UTF-8
values
when processing CSS files. An attacker could possibly use this issue to
cause
a denial of service. (CVE-2017-8834, CVE-2017-8871)

It was discovered that Libcroco was incorrectly implementing recursion
in one
of its parsing functions, which could cause an infinite recursion loop and a
stack overflow due to stack consumption. An attacker could possibly use this
issue to cause a denial of service. (CVE-2020-12825)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
libcroco-tools 0.6.11-1ubuntu0.1~esm1
libcroco3 0.6.11-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5389-1
CVE-2017-7960, CVE-2017-8834, CVE-2017-8871, CVE-2020-12825

--------------CBvngUIrp4qmIgx80MEWqUKN--

--------------hwMM039JbRPn5Yl1Cwrcw0b4
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEGq96SdAIJY1vInRLbzAtCH6LqTYFAmJoBAoFAwAAAAAACgkQbzAtCH6LqTbE
Cgf/faZIXHn5pLmc1t/7STXup4XvOvcUPQ6UFMtgWccbXoRNX3ZQbnfTWQRS7a4I3HjblpZRVT/v
qyh4l+CWK5/AzFQQv9gyrE2PvXKFWDtwsiimEPg1EViKJCWic5yGKUoW5Ucea6U3/8YEgZ3Ye2nU
s8hszFI0Xeryk9VIIQQPd041UFsCQHwZVevqahkKaIeMMe4ZigLJeCNUwJisElAJjgksP2wxC17W
8iuHphkfO8vcfrgtBalqPrhc5FGXjSltmRg7pRWcg4F95u1nVsRCylcwyK+Wzk6ehkfqO0Pn5I9r
EbIAosKlzaFOgnmrN9e9hllPScTMh9dX8GMljdYKkw==
=RPGq
-----END PGP SIGNATURE-----

--------------hwMM039JbRPn5Yl1Cwrcw0b4--

--===============3977642541018405753==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============3977642541018405753==--