Bug 21368

Summary: librsvg new security issue CVE-2017-11464
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: brtians1, marja11, nathan95, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok mga5-32-ok mga6-32-ok
Source RPM: librsvg-2.40.17-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-07-27 02:42:14 CEST 
Upstream has released version 2.40.18 on July 20, fixing a security issue:
https://mail.gnome.org/archives/ftp-release-list/2017-July/msg00078.html

Fedora has issued an advisory for this on July 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HCJYK3EMB77XGUI2Y3UG6ECQX7YUBE4P/

Mageia 5 is also affected.
David Walser 2017-07-27 02:42:21 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-07-27 18:18:13 CEST 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => lists.jjorge

Comment 2 David Walser 2017-07-29 20:59:43 CEST 
Updated packages uploaded for Mageia 5 and Mageia 6.

Advisory:
========================

Updated librsvg packages fix security vulnerability:

Division-by-zero in the Gaussian blur code (CVE-2017-11464).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11464
https://mail.gnome.org/archives/ftp-release-list/2017-July/msg00078.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HCJYK3EMB77XGUI2Y3UG6ECQX7YUBE4P/
========================

Updated packages in core/updates_testing:
========================
librsvg-2.40.18-1.mga5
librsvg2_2-2.40.18-1.mga5
librsvg2-devel-2.40.18-1.mga5
librsvg-gir2.0-2.40.18-1.mga5
librsvg-2.40.18-1.mga6
librsvg2_2-2.40.18-1.mga6
librsvg2-devel-2.40.18-1.mga6
librsvg-gir2.0-2.40.18-1.mga6

from SRPMS:
librsvg-2.40.18-1.mga5.src.rpm
librsvg-2.40.18-1.mga6.src.rpm

Assignee: lists.jjorge => qa-bugs

Comment 3 Rémi Verschelde 2017-07-30 11:17:52 CEST 
Sadly the GNOME bug report is still flagged as restricted, so we can't check if there's a PoC to test against the update candidate.

Doing basic regression testing thanks to the two utility binaries shipping in the main librsvg package:
/usr/bin/rsvg-convert
/usr/bin/rsvg-view-3

If you don't have SVGs to test with, you can download the Mageia logo: http://www.mageia.org/en/about/media/

$ rsvg-convert -f pdf -w 2400 -h 800 -b "#abcdef" mageia-2013.svg -o mageia-2013.pdf

Gives me as expected a 2400x800 PDF of the Mageia logo with a teal background color.

$ rsvg-view-3 -w 2400 -h 800 -b "#abcdef" Mageia/ToSort/mageia-2013.svg

Allows to preview the same result as above. The window it spawns is ridiculously small though, you need to expand it to see the logo.

Whiteboard: MGA5TOO => has_procedure MGA5TOO MGA6-64-OK

Rémi Verschelde 2017-07-30 11:19:12 CEST

Whiteboard: has_procedure MGA5TOO MGA6-64-OK => advisory has_procedure MGA5TOO MGA6-64-OK

Comment 4 Brian Rockwell 2017-08-05 20:20:37 CEST 
$ uname -a
Linux localhost 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


$ rsvg-convert -v
rsvg-convert version 2.40.18

$ rsvg-convert -f pdf -w 2400 -h 800 -b "#abcdef" mageia-2013.svg -o mageia-2013.pdf
[brian@localhost Downloads]$ ls -ltr
total 16576
-rw-rw-r-- 1 brian brian    25217 Aug  5 18:16 mageia-2013.svg
-rw-r--r-- 1 brian brian     2649 Aug  5 18:17 mageia-2013.pdf
[brian@localhost Downloads]$ evince mageia-2013.pdf

it displays the logo properly

The rsvg-view-3 worked as well
$ rsvg-view-3 -v
** Message: rsvg-view version 2.40.18

Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK => advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok
CC: (none) => brtians1

Comment 5 Brian Rockwell 2017-08-05 20:33:31 CEST 
$ uname -a
Linux localhost 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux

$ rsvg-convert -v
rsvg-convert version 2.40.18

$ rsvg-convert -f pdf -w 2400 -h 800 -b "#abcdef" mageia-2013.svg -o mageia-2013.pdf
$ evince mageia-2013.pdf

it displays properly

$ rsvg-view-3  -b "#abcdef" mageia-2013.svg

that displays as well, you do have to expand the window 

$ rsvg-view-3 -v
** Message: rsvg-view version 2.40.18

works on 32 bit as well

Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok => advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok mga5-32-ok

nathan giovannini 2017-08-07 20:39:50 CEST

Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok mga5-32-ok => advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok mga5-32-ok mga6-32-ok
Keywords: (none) => validated_update
CC: (none) => nathan95, sysadmin-bugs

Comment 6 Mageia Robot 2017-08-08 00:17:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0247.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED