Bug#894352: libcroco3: function cr_parser_parse_stylesheet() cause a DoS(denial of service)

Jin Huang 54jin.huang at gmail.com
Thu Mar 29 11:58:20 UTC 2018 

Package: libcroco3
Version: 0.6.12-2
Severity: important

Dear Maintainer,

The cr_parser_parse_stylesheet() function in cr-parser.c can cause a denial
of service (infinite loop and CPU consumption) via a crafted CSS file.
Which can lead csslint-0.6 hangs forever.

$ csslint-0.6 cr-parser.c@@cr_parser_parse_import.css
  csslint will not return and the it's CPU consumption is 100%

The cause of this bug is that, the cr_parser_parse_stylesheet() function
called cr_parser_parse_media() cr_parser_parse_import() and
cr_parser_parse_ruleset() , but cr_parser_parse_media()
cr_parser_parse_import() and cr_parser_parse_ruleset() didn't return a
right status correctly while parsing malformed css file,thus making
cr_parser_parse_stylesheet() run in a infinite loop.



-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-6-amd64 (SMP w/1 CPU core)
Locale: LANG=en_HK.UTF-8, LC_CTYPE=en_HK.UTF-8 (charmap=UTF-8),
LANGUAGE=en_HK:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libcroco3 depends on:
ii  libc6         2.24-11+deb9u3
ii  libglib2.0-0  2.50.3-2
ii  libxml2       2.9.4+dfsg1-2.2+deb9u2


--
 Jin Huang, ADLab of Venustech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20180329/7caa2abd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cr-parser.c@@cr_parser_parse_import.css
Type: text/css
Size: 8 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20180329/7caa2abd/attachment.css>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cr-parser.c@@cr_parser_parse_media.css
Type: text/css
Size: 8 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20180329/7caa2abd/attachment-0001.css>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cr-parser.c@@cr_parser_parse_ruleset.css
Type: text/css
Size: 7 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20180329/7caa2abd/attachment-0002.css>

More information about the pkg-gnome-maintainers mailing list