{"id":"USN-5389-1","summary":"libcroco vulnerabilities","details":"It was discovered that Libcroco was incorrectly accessing data structures when\nreading bytes from memory, which could cause a heap buffer overflow. An attacker\ncould possibly use this issue to cause a denial of service. (CVE-2017-7960)\n\nIt was discovered that Libcroco was incorrectly handling invalid UTF-8 values\nwhen processing CSS files. An attacker could possibly use this issue to cause\na denial of service. (CVE-2017-8834, CVE-2017-8871)\n\nIt was discovered that Libcroco was incorrectly implementing recursion in one\nof its parsing functions, which could cause an infinite recursion loop and a\nstack overflow due to stack consumption. An attacker could possibly use this\nissue to cause a denial of service. (CVE-2020-12825)\n","modified":"2026-02-10T04:42:35Z","published":"2022-04-26T14:05:43Z","related":["UBUNTU-CVE-2017-7960","UBUNTU-CVE-2017-8834","UBUNTU-CVE-2017-8871","UBUNTU-CVE-2020-12825"],"upstream":["CVE-2017-7960","CVE-2017-8834","CVE-2017-8871","CVE-2020-12825","UBUNTU-CVE-2017-7960","UBUNTU-CVE-2017-8834","UBUNTU-CVE-2017-8871","UBUNTU-CVE-2020-12825"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5389-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-7960"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-8834"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-8871"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-12825"}],"affected":[{"package":{"name":"libcroco","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/libcroco@0.6.11-1ubuntu0.1~esm1?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.6.11-1ubuntu0.1~esm1"}]}],"versions":["0.6.8-3","0.6.9-1","0.6.10-1","0.6.11-1"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"libcroco-tools","binary_version":"0.6.11-1ubuntu0.1~esm1"},{"binary_name":"libcroco3","binary_version":"0.6.11-1ubuntu0.1~esm1"},{"binary_name":"libcroco3-dev","binary_version":"0.6.11-1ubuntu0.1~esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5389-1.json","cves_map":{"cves":[{"id":"CVE-2017-7960","severity":[{"score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2017-8834","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2017-8871","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2020-12825","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}}],"schema_version":"1.7.3"}