CVE-2020-12825

Отчет

While Red Hat Enterprise Linux 6, 7 and 8 ship versions of libcroco that are vulnerable to this flaw, the packages which use this library as a dependency would require a user to open a malicious file locally for exploitation. Opening such a file may result in a temporary crash of the application. See below for more detailed information:

• Red Hat Enterprise Linux 8 - libcroco is a runtime dependency of gnome-shell, gettext and inkscape.
• Red Hat Enterprise Linux 7 - libcroco is a runtime dependency of gnome-shell, gettext, librsvg2 and inkscape.
• Red Hat Enterprise Linux 6 - libcroco is required by firefox to bundle gtk3 but firefox does not use libcroco as its CSS parsing engine or provide gtk3 to other packages, and thus not affected. libcroco is a runtime dependency of inkscape, librsvg2 and gettext. This flaw has only been demonstrated to cause a crash, but if there is any concern of further exploitation beyond that, Red Hat Enterprise Linux 6, 7, and 8 packages are built with a stack protector and stack ASLR which would significantly reduce the likelihood of further exploitation.

Меры по смягчению последствий

To mitigate this flaw as it applies to gnome-shell, do not install untrusted gnome-shell extensions or themes. Red Hat Enterprise Linux does not ship with gnome-shell themes that will trigger this vulnerability. To mitigate this flaw as it applies to inkscape, do not open untrusted CSS in inkscape.