libcroco-0.6.13-3.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10932 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libcroco-0.6.13-3.2 on GA media These are all security issues fixed in the libcroco-0.6.13-3.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10932 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10932 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-7960/ SUSE CVE CVE-2017-7960 page https://www.suse.com/security/cve/CVE-2017-7961/ SUSE CVE CVE-2017-7961 page https://www.suse.com/security/cve/CVE-2017-8834/ SUSE CVE CVE-2017-8834 page https://www.suse.com/security/cve/CVE-2017-8871/ SUSE CVE CVE-2017-8871 page https://www.suse.com/security/cve/CVE-2020-12825/ SUSE CVE CVE-2020-12825 page openSUSE Tumbleweed libcroco-0.6.13-3.2 libcroco-0_6-3-0.6.13-3.2 libcroco-0_6-3-32bit-0.6.13-3.2 libcroco-devel-0.6.13-3.2 libcroco-0.6.13-3.2 as a component of openSUSE Tumbleweed libcroco-0_6-3-0.6.13-3.2 as a component of openSUSE Tumbleweed libcroco-0_6-3-32bit-0.6.13-3.2 as a component of openSUSE Tumbleweed libcroco-devel-0.6.13-3.2 as a component of openSUSE Tumbleweed The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file. CVE-2017-7960 openSUSE Tumbleweed:libcroco-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-32bit-0.6.13-3.2 openSUSE Tumbleweed:libcroco-devel-0.6.13-3.2 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7960.html CVE-2017-7960 https://bugzilla.suse.com/1034481 SUSE Bug 1034481 ** DISPUTED ** The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco 0.6.11 and 0.6.12 has an "outside the range of representable values of type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CSS file. NOTE: third-party analysis reports "This is not a security issue in my view. The conversion surely is truncating the double into a long value, but there is no impact as the value is one of the RGB components." CVE-2017-7961 openSUSE Tumbleweed:libcroco-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-32bit-0.6.13-3.2 openSUSE Tumbleweed:libcroco-devel-0.6.13-3.2 moderate 0 AV:N/AC:L/Au:N/C:N/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7961.html CVE-2017-7961 https://bugzilla.suse.com/1034482 SUSE Bug 1034482 https://bugzilla.suse.com/1132069 SUSE Bug 1132069 The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (memory allocation error) via a crafted CSS file. CVE-2017-8834 openSUSE Tumbleweed:libcroco-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-32bit-0.6.13-3.2 openSUSE Tumbleweed:libcroco-devel-0.6.13-3.2 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-8834.html CVE-2017-8834 https://bugzilla.suse.com/1043898 SUSE Bug 1043898 https://bugzilla.suse.com/1043899 SUSE Bug 1043899 The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted CSS file. CVE-2017-8871 openSUSE Tumbleweed:libcroco-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-32bit-0.6.13-3.2 openSUSE Tumbleweed:libcroco-devel-0.6.13-3.2 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-8871.html CVE-2017-8871 https://bugzilla.suse.com/1043898 SUSE Bug 1043898 https://bugzilla.suse.com/1043899 SUSE Bug 1043899 libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption. CVE-2020-12825 openSUSE Tumbleweed:libcroco-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-0.6.13-3.2 openSUSE Tumbleweed:libcroco-0_6-3-32bit-0.6.13-3.2 openSUSE Tumbleweed:libcroco-devel-0.6.13-3.2 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-12825.html CVE-2020-12825 https://bugzilla.suse.com/1171685 SUSE Bug 1171685 https://bugzilla.suse.com/1203730 SUSE Bug 1203730 https://bugzilla.suse.com/1208647 SUSE Bug 1208647