Bug 11853

Summary: librsvg new security issue CVE-2013-1881
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, lists.jjorge, olav, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/575370/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Source RPM: librsvg-2.36.4-2.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-12-02 16:56:55 CET 
OpenSuSE has issued an advisory on November 29:
http://lists.opensuse.org/opensuse-updates/2013-11/msg00114.html

The issue was fixed upstream in 2.39.0 according to the CVE entry, so we should be OK in Cauldron.

The OpenSuSE 12.3 update contains a patch for 2.36.4, the same version we have in Mageia 3.  However, I could have just pushed it with this patch myself, but it sounds like it is causing regressions according to the comments in the Novell bug:
https://bugzilla.novell.com/show_bug.cgi?id=840753

So I'll assign this to Olav for further review.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-12-02 16:57:40 CET 
CC'ing José as he's marked as maintainer of this package.

CC: (none) => lists.jjorge

Comment 2 David Walser 2013-12-26 18:56:48 CET 
OK, so the regression was because a change in gtk+3.0 was needed to cope with the security hardening in librsvg.  OpenSuSE released a gtk+3.0 update to fix this.  Their update for 12.3 is also the same gtk+3.0 version we have, so I've pulled their patches for both librsvg and gtk+3.0.  Patched packages uploaded for Mageia 3.

Advisory:
========================

Updated librsvg packages fix security vulnerability:

librsvg before version 2.39.0 allows remote attackers to read arbitrary files
via an XML document containing an external entity declaration in conjunction
with an entity reference (CVE-2013-1881).

gtk+3.0 has been patched to cope with the changes in SVG loading due to the
fix in librsvg.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1881
http://lists.opensuse.org/opensuse-updates/2013-11/msg00114.html
========================

Updated packages in core/updates_testing:
========================
librsvg-2.36.4-2.1.mga3
librsvg2_2-2.36.4-2.1.mga3
librsvg2-devel-2.36.4-2.1.mga3
librsvg-gir2.0-2.36.4-2.1.mga3
gtk+3.0-3.6.4-1.1.mga3
libgtk+3_0-3.6.4-1.1.mga3
libgtk-gir3.0-3.6.4-1.1.mga3
libgtk+3.0-devel-3.6.4-1.1.mga3
libgail3_0-3.6.4-1.1.mga3
libgail3.0-devel-3.6.4-1.1.mga3

from SRPMS:
librsvg-2.36.4-2.1.mga3.src.rpm
gtk+3.0-3.6.4-1.1.mga3.src.rpm

CC: (none) => olav
Assignee: olav => qa-bugs

Dave Hodgins 2014-01-02 18:09:21 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 3 Dave Hodgins 2014-01-05 22:15:15 CET 
Just testing that eog can view svg images with the updates installed.

When installing in gtk_3.0 in Mageia 3 x86_64, I get a warning ...
      1/3: gtk+3.0               ##################################################################################################
      2/3: lib64gtk+3_0          ##################################################################################################
      3/3: lib64gtk-gir3.0       ##################################################################################################
      1/3: removing lib64gtk-gir3.0-3.6.4-1.mga3.x86_64
                                 ##################################################################################################
      2/3: removing gtk+3.0-3.6.4-1.mga3.x86_64
                                 ##################################################################################################
      3/3: removing lib64gtk+3_0-3.6.4-1.mga3.x86_64
                                 ##################################################################################################
warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/>

Viewing svg (and other) images in eog is working though.

Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 11853.adv to updates.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2014-01-06 02:36:10 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0004.html

CC: (none) => tmb

Comment 5 Thomas Backlund 2014-01-06 02:41:15 CET 
closing

Status: NEW => RESOLVED
Resolution: (none) => FIXED