Undefined Behavior in libcroco Affects Multiple Vendors
CVE-2017-7961

7.8HIGH

Key Information:

Vendor

Gnome
Status
Libcroco
Vendor
CVE Published:
19 April 2017

What is CVE-2017-7961?

The cr_tknzr_parse_rgb function in libcroco versions 0.6.11 and 0.6.12 is associated with undefined behavior when processing values outside the range of representable values of the data type long. This vulnerability may be exploited by remote attackers through specially crafted CSS files, potentially leading to denial of service scenarios, such as application crashes. Notably, while some analyses suggest that this may not be a significant security concern, the risk of service disruption through these attacks should not be underestimated.

References

https://git.gnome.org/browse/libcroco/commit/?id=9ad72875...
x_refsource_MISC
https://security.gentoo.org/glsa/201707-13
vendor-advisoryx_refsource_GENTOO
http://openwall.com/lists/oss-security/2017/04/24/2
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2017-7961 : Undefined Behavior in libcroco Affects Multiple Vendors