Date: Sat, 30 Apr 2016 20:33:59 +0200 From: Gustavo Grieco <gustavo.grieco@...il.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions 2016-04-28 18:46 GMT+02:00 <cve-assign@...re.org>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Two DoS in librsvg 2.40.2 parsing SVGs with circular definitions were > found > > (they will produce stack exhaustion). Other versions can be vulnerable > too. > > > these issues are solved in the last git revision of librsvg2 > > Probably the best we can reasonably do here is assign separate CVE IDs > to the separate reproducers. Are there any other details that might > enable a wider set of readers to use your report for risk management? > This version of librsvg is still deployed in Ubuntu (trusty) and Debian (wheezy). Imagemagick is using librsvg2 so a vulnerability there can affect even when you receive an untrusted image. Also, Evolution was rendering SVG attached images: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361540 (this bug is quite old and it is fixed, hopefully Evolution is not rendering SVG images using librsvg now) > 2.40.2 is apparently a version from late 2013. Is this related to > > https://git.gnome.org/browse/librsvg/commit/?id=8ee18b22ece0f869cb4e2e021c01138cbb8a0226 > (from 2015-02-06): "If a chain of paint servers, defined through the > xlink:href attribute, has a cycle, then we would loop infinitely"? > Most likely yes. It is also related with CVE-2015-7558, which was fixed here: https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61 The only way to know for sure is to use git-bisect. I can only advise to upgrade to 2.40.15 where all these issues are solved. > > > They affect the following functions: > > > * rsvg_cairo_pop_discrete_layer - rsvg_cairo_pop_render_stack - > > rsvg_cairo_generate_mask: reproducible using circular-1.svg > > Use CVE-2016-4347. > > > > * _rsvg_css_normalize_font_size: reproducible using circular-2.svg > > Use CVE-2016-4348. > > - -- > CVE Assignment Team > M/S M300, 202 Burlington Road, Bedford, MA 01730 USA > [ A PGP key is available for encrypted communications at > http://cve.mitre.org/cve/request_id.html ] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJXIj3tAAoJEHb/MwWLVhi28asP/ind5vax8Ln+o2RusWj8E+LS > Q/R1pAJgj20Duo6s23zx/iWicsyTudMMdeBQwhnpPbnDOvUtVUqn5jjtD2xTZkBG > zKdKNw3QpJYYC4BSaNp3r+VVEuIlWiNlXYfmWu8hThzgRJL8HjQhQd9sE/WcA6xo > XX5639p6TRA5leTIXPWHaQ8HxB/9cSufkTZ2nH4WTBJcwh45iKVczsPAh1nuabnF > FmghWc83c9woO4ImKdDa+/wF/yaO2asrztAedtxCNDQQZTxZRtU7e/IcIbdW9VNU > VM41OImZG8k8JzO0r7/Bg2XnRuVUvoJdK0pRNnS0LPfzDX38HCWlKZnKKFJkZjTT > vQ+sErtM+I33NR+hc4o2wsMnzL8L0oln4q1zYepu0SLZaPTwDN6L6X/Gz1gKL4Zi > Uxowp0OF+8nknnVlhnySHcOGr5tfjT+Q1RdtUmZie0vW+5m9iPubBUHFBLuC6GYF > 5rp4JqaDFxHUVwX+gXz+jT8+O489ASVlb6NS2bPoC2K/aUl6MYcQygeIZky0GfdP > 9OKoYWrUq2JUkzQMhI9FML0F64Pt4blZksSQ5tHa24xxMCRl/nkR4OEPIg/eMW1f > D6hr+/mR9saLzv8pao0Qf+k+Kuig2R+7F8be673J8QXcowJX5/tHYQWbS7Ai0CAI > v7jIqoYfMx9CP7ccozvg > =hvLp > -----END PGP SIGNATURE----- >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ