Re: [OE-core] [poky][dunfell][PATCH] libcroco: Added CVE-2020-12825
On Fri, Feb 5, 2021 at 3:01 AM saloni wrote: > > Added below CVE: > CVE-2020-12825 > Link: CVE-2020-12825 > [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a] > Link: https://gitlab.gnome.org/Archive/libcroco/-/issues/8 > > Signed-off-by: Saloni Jain > --- > .../libcroco/files/CVE-2020-12825.patch| 193 > + > meta/recipes-support/libcroco/libcroco_0.6.13.bb | 3 + > 2 files changed, 196 insertions(+) > create mode 100644 meta/recipes-support/libcroco/files/CVE-2020-12825.patch > > diff --git a/meta/recipes-support/libcroco/files/CVE-2020-12825.patch > b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch > new file mode 100644 > index 000..966b812 > --- /dev/null > +++ b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch > @@ -0,0 +1,193 @@ > +From 6eb257e5c731c691eb137fca94e916ca73941a5a Mon Sep 17 00:00:00 2001 > +From: Michael Catanzaro > +Date: Fri, 31 Jul 2020 15:21:53 -0500 > +Subject: [PATCH] libcroco: Limit recursion in block and any productions > + (CVE-2020-12825) > + > +If we don't have any limits, we can recurse forever and overflow the > +stack. > + > +Fixes #8 > +This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8 > + > +https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404 > + > +CVE: CVE-2020-12825 > +Upstream-Status: Backport > [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a] > +Comment: No changes done. > +Signed-off-by: Saloni Jain > +--- > + src/cr-parser.c | 44 +--- > + 1 file changed, 29 insertions(+), 15 deletions(-) > + > +diff --git a/src/cr-parser.c b/src/cr-parser.c > +index 18c9a01..f4a62e3 100644 > +--- a/src/cr-parser.c > b/src/cr-parser.c > +@@ -136,6 +136,8 @@ struct _CRParserPriv { > + > + #define CHARS_TAB_SIZE 12 > + > ++#define RECURSIVE_CALLERS_LIMIT 100 > ++ > + /** > + * IS_NUM: > + *@a_char: the char to test. > +@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core > (CRParser * a_this); > + > + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this); > + > +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this); > ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this, > ++ guint n_calls); > + > +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this); > ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this, > ++ guint n_calls); > + > + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this); > + > +@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) > + cr_parser_try_to_skip_spaces_and_comments (a_this); > + > + do { > +-status = cr_parser_parse_any_core (a_this); > ++status = cr_parser_parse_any_core (a_this, 0); > + } while (status == CR_OK); > + > + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, > +@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) > + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, > + token); > + token = NULL; > +-status = cr_parser_parse_block_core (a_this); > ++status = cr_parser_parse_block_core (a_this, 0); > + CHECK_PARSING_STATUS (status, > + FALSE); > + goto done; > +@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this) > + > + RECORD_INITIAL_POS (a_this, _pos); > + > +-status = cr_parser_parse_any_core (a_this); > ++status = cr_parser_parse_any_core (a_this, 0); > + CHECK_PARSING_STATUS (status, FALSE); > + > + do { > +-status = cr_parser_parse_any_core (a_this); > ++status = cr_parser_parse_any_core (a_this, 0); > + > + } while (status == CR_OK); > + > +@@ -956,10 +960,12 @@ cr_parser_parse_selector_core (CRParser * a_this) > + *in chapter 4.1 of the css2 spec. > + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*; > + *@param a_this the current instance of #CRParser. > ++ *@param n_calls used to limit recursion depth > + *FIXME: code this function. > + */ > + static enum CRStatus > +-cr_parser_parse_block_core (CRParser * a_this) > ++cr_parser_parse_block_core (CRParser * a_this, > ++guint n_calls) > + { > + CRToken *token = NULL; > + CRInputPos init_pos; > +@@ -967,6 +973,9 @@ cr_parser_parse_block_core (CRParser * a_this) > + > + g_return_val_if_fail (a_this && PRIVATE (a_this), > CR_BAD_PARAM_ERROR); > + > ++if (n_calls > RECURSIVE_CALLERS_LIMIT) > ++return CR_ERROR; > ++ > + RECORD_INITIAL_POS (a_this, _pos); > + > + status =
[OE-core] [poky][dunfell][PATCH] libcroco: Added CVE-2020-12825
Added below CVE: CVE-2020-12825 Link: CVE-2020-12825 [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a] Link: https://gitlab.gnome.org/Archive/libcroco/-/issues/8 Signed-off-by: Saloni Jain --- .../libcroco/files/CVE-2020-12825.patch| 193 + meta/recipes-support/libcroco/libcroco_0.6.13.bb | 3 + 2 files changed, 196 insertions(+) create mode 100644 meta/recipes-support/libcroco/files/CVE-2020-12825.patch diff --git a/meta/recipes-support/libcroco/files/CVE-2020-12825.patch b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch new file mode 100644 index 000..966b812 --- /dev/null +++ b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch @@ -0,0 +1,193 @@ +From 6eb257e5c731c691eb137fca94e916ca73941a5a Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Fri, 31 Jul 2020 15:21:53 -0500 +Subject: [PATCH] libcroco: Limit recursion in block and any productions + (CVE-2020-12825) + +If we don't have any limits, we can recurse forever and overflow the +stack. + +Fixes #8 +This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8 + +https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404 + +CVE: CVE-2020-12825 +Upstream-Status: Backport [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a] +Comment: No changes done. +Signed-off-by: Saloni Jain +--- + src/cr-parser.c | 44 +--- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/src/cr-parser.c b/src/cr-parser.c +index 18c9a01..f4a62e3 100644 +--- a/src/cr-parser.c b/src/cr-parser.c +@@ -136,6 +136,8 @@ struct _CRParserPriv { + + #define CHARS_TAB_SIZE 12 + ++#define RECURSIVE_CALLERS_LIMIT 100 ++ + /** + * IS_NUM: + *@a_char: the char to test. +@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this); + + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this); + +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls); + +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls); + + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this); + +@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_parser_try_to_skip_spaces_and_comments (a_this); + + do { +-status = cr_parser_parse_any_core (a_this); ++status = cr_parser_parse_any_core (a_this, 0); + } while (status == CR_OK); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, +@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +-status = cr_parser_parse_block_core (a_this); ++status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, + FALSE); + goto done; +@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this) + + RECORD_INITIAL_POS (a_this, _pos); + +-status = cr_parser_parse_any_core (a_this); ++status = cr_parser_parse_any_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + + do { +-status = cr_parser_parse_any_core (a_this); ++status = cr_parser_parse_any_core (a_this, 0); + + } while (status == CR_OK); + +@@ -956,10 +960,12 @@ cr_parser_parse_selector_core (CRParser * a_this) + *in chapter 4.1 of the css2 spec. + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*; + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *FIXME: code this function. + */ + static enum CRStatus +-cr_parser_parse_block_core (CRParser * a_this) ++cr_parser_parse_block_core (CRParser * a_this, ++guint n_calls) + { + CRToken *token = NULL; + CRInputPos init_pos; +@@ -967,6 +973,9 @@ cr_parser_parse_block_core (CRParser * a_this) + + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR); + ++if (n_calls > RECURSIVE_CALLERS_LIMIT) ++return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, _pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, ); +@@ -996,13 +1005,13 @@ cr_parser_parse_block_core (CRParser * a_this) + } else if (token->type == CBO_TK) { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +-status =