Gentoo Archives: gentoo-announce

From: glsamaker@g.o
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202208-33 ] Gnome Shell, gettext, libcroco: Multiple Vulnerabilities
Date: Sun, 21 Aug 2022 01:52:27
Message-Id: 166104569307.12.12051206097586297195@7b72ab9f548d
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202208-33
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Gnome Shell, gettext, libcroco: Multiple Vulnerabilities
9 Date: August 21, 2022
10 Bugs: #722752, #755848, #769998
11 ID: 202208-33
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A vulnerability has been found in libcroco which could result in denial
19 of service.
20
21 Background
22 ==========
23
24 GNOME Shell provides core user interface functions for the GNOME
25 desktop, like switching to windows and launching applications.
26
27 gettext contains the GNU locale utilities.
28
29 libcroco is a standalone CSS2 parsing and manipulation library.
30
31 Affected packages
32 =================
33
34 -------------------------------------------------------------------
35 Package / Vulnerable / Unaffected
36 -------------------------------------------------------------------
37 1 dev-libs/libcroco < 0.6.13 >= 0.6.13
38 2 gnome-base/gnome-shell < 3.36.7 >= 3.36.7
39 3 sys-devel/gettext < 0.21 >= 0.21
40
41 Description
42 ===========
43
44 The cr_parser_parse_any_core function in libcroco's cr-parser.c does not
45 limit recursion, leading to a denial of service via a stack overflow
46 when trying to parse crafted CSS.
47
48 Gnome Shell and gettext bundle libcroco in their own sources and thus
49 are potentially vulnerable as well.
50
51 Impact
52 ======
53
54 An attacker with control over the input to the library can cause a denial of service.
55
56 Workaround
57 ==========
58
59 There is no known workaround at this time.
60
61 Resolution
62 ==========
63
64 All gettext users should upgrade to the latest version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=sys-devel/gettext-0.21"
68
69 All Gnome Shell users should upgrade to the latest version:
70
71 # emerge --sync
72 # emerge --ask --oneshot --verbose ">=gnome-base/gnome-shell-3.36.7"
73
74 All libcroco users should upgrade to the latest version:
75
76 # emerge --sync
77 # emerge --ask --oneshot --verbose ">=dev-libs/libcroco-0.6.13"
78
79 References
80 ==========
81
82 [ 1 ] CVE-2020-12825
83 https://nvd.nist.gov/vuln/detail/CVE-2020-12825
84
85 Availability
86 ============
87
88 This GLSA and any updates to it are available for viewing at
89 the Gentoo Security Website:
90
91 https://security.gentoo.org/glsa/202208-33
92
93 Concerns?
94 =========
95
96 Security is a primary focus of Gentoo Linux and ensuring the
97 confidentiality and security of our users' machines is of utmost
98 importance to us. Any security concerns should be addressed to
99 security@g.o or alternatively, you may file a bug at
100 https://bugs.gentoo.org.
101
102 License
103 =======
104
105 Copyright 2022 Gentoo Foundation, Inc; referenced text
106 belongs to its owner(s).
107
108 The contents of this document are licensed under the
109 Creative Commons - Attribution / Share Alike license.
110
111 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature