Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jun 2016 15:54:13 +0200
From: Adam Maris <>
Subject: Re: Re: CVE requests: DoS in librsvg parsing SVGs with
 circular definitions

On 15/05/16 09:05, Gustavo Grieco wrote:
> 2016-05-11 0:36 GMT+02:00 Brian May <>:
>> Just did a git bisect against the source. Assuming I got this right, the
>> following commits fixed the issue.
> Thanks for taking the time to do the git bisect!
>>>> They affect the following functions:
>>>> * rsvg_cairo_pop_discrete_layer - rsvg_cairo_pop_render_stack -
>>>> rsvg_cairo_generate_mask: reproducible using circular-1.svg
>>> Use CVE-2016-4347.
>> Fixed in:
>> commit a51919f7e1ca9c535390a746fbf6e28c8402dc61
>> Author: Benjamin Otte <>
>> Date:   Wed Oct 7 08:45:37 2015 +0200
>>     rsvg: Add rsvg_acquire_node()
>>     This function does proper recursion checks when looking up resources
>>     from URLs and thereby helps avoiding infinite loops when cyclic
>>     references span multiple types of elements.
> I think CVE-2016-4347 and CVE-2015-7558 (stack exhaustion due to
> cyclic dependency, reported here:
> are in fact,
> the same issue. This is probably my fault (sorry!).
> MITRE: We should reject the the newly assigned one?
> Regards,
> Gustavo.

CC'ing MITRE in case they missed this question. We confirm it is a
duplication. Which CVE should be rejected?


Adam Mariš, Red Hat Product Security
1CCD 3446 0529 81E3 86AF  2D4C 4869 76E7 BEF0 6BC2

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ