Bug 23206

Summary: librsvg new security issue CVE-2018-1000041
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 5Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5-32-OK
Source RPM: librsvg-2.40.18-1.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 23144    
Bug Blocks:    

Description David Walser 2018-06-20 13:10:44 CEST 
+++ This bug was initially created as a clone of Bug #23144 +++

openSUSE has issued an advisory on May 17:
https://lists.opensuse.org/opensuse-updates/2018-05/msg00045.html

Patched package also uploaded for Mageia 5.

Advisory:
========================

Updated librsvg package fixes security vulnerability:

It was discovered that there was an input validation vulnerability in the librsvg renderer library that could result in data being leaked to remote attackers via a specially-crafted file (CVE-2018-1000041).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000041
https://lists.opensuse.org/opensuse-updates/2018-05/msg00045.html
========================

Updated packages in core/updates_testing:
========================
lib64rsvg2_2-2.40.18-1.1.mga5
lib64rsvg2-devel-2.40.18-1.1.mga5
lib64rsvg-gir2.0-2.40.18-1.1.mga5
librsvg-2.40.18-1.1.mga5

from librsvg-2.40.18-1.1.mga5.src.rpm

Testing procedure https://bugs.mageia.org/show_bug.cgi?id=21368#c4
Comment 1 Herman Viaene 2018-06-22 15:10:45 CEST 
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
at CLI:
$ rsvg-view-3 wapen.svg
Opens ridiculous small window, when stretched out, image is OK.
Right click on the image and save as png. Resulting png displays OK in ristretto.
$ rsvg-convert -f pdf -h 720 -w 512 -b '#ebafdc' wapen.svg -o wapen.pdf
Resulting pdf looks OK in atril.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 2 claire robinson 2018-06-24 21:42:34 CEST 
Validating. Advisoried.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2018-06-25 00:03:40 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0297.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED