Bug 17378

Summary: librsvg new security issues CVE-2015-7557 and CVE-2015-7558
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/672076/
Whiteboard: MGA5-64-OK advisory
Source RPM: librsvg-2.40.7-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-21 21:30:00 CET 
Two security issues fixed in librsvg 2.40.12 were announced today (December 21):
http://openwall.com/lists/oss-security/2015/12/21/5

The upstream commit to fix the issues is also linked in the message above.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-12 19:16:03 CET 
Updated package uploaded for Mageia 5.

Advisory:
========================

Updated librsvg packages fix security vulnerabilities:

Out-of-bounds heap read in librsvg2 was found when parsing SVG file
(CVE-2015-7557).

Stack exhaustion due to cyclic dependency causing to crash an application was
found in librsvg2 while parsing SVG file (CVE-2015-7558).

The librsvg package has been updated to version 2.40.13, fixing these issues
and several other bugs.  See the upstream NEWS file for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7558
https://git.gnome.org/browse/librsvg/tree/NEWS?id=a12e7b90e7b9fa6a6a325f39fb409722b06a6735
http://openwall.com/lists/oss-security/2015/12/21/5
========================

Updated packages in core/updates_testing:
========================
librsvg-2.40.13-1.mga5
librsvg2_2-2.40.13-1.mga5
librsvg2-devel-2.40.13-1.mga5
librsvg-gir2.0-2.40.13-1.mga5

from librsvg-2.40.13-1.mga5.src.rpm

Assignee: olav => qa-bugs

Comment 2 Lewis Smith 2016-01-13 20:52:26 CET 
Testing x64, with the update:
 librsvg-2.40.13-1.mga5
 lib64rsvg2_2-2.40.13-1.mga5
Tried various applications cited from # urpmq --whatrequires lib64rsvg2_2
 AbiWord: Able to import some SVG files, but not exotic 'active' ones.
 Eye of Gnome (eog): opened all SVG samples correctly.
 ImageMagic (display): same.
 xboard: worked OK, significance doubtful.
Some applications allegedly requiring these libraries did not seem to want to know about SVG at all, for which I do not blame the libraries. e.g. TuxPaint, Darktable.
Since nothing untoward happened, this update seems OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2016-01-14 04:36:12 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-01-15 02:53:23 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0021.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-01-15 19:57:01 CET

URL: (none) => http://lwn.net/Vulnerabilities/672076/

Comment 4 David Walser 2016-05-11 17:54:15 CEST 
CVE-2016-4347 and CVE-2016-4348 were also fixed by this update (fixed in 2.40.12):
http://openwall.com/lists/oss-security/2016/05/10/15

The commits were actually on October 22.