Bug 28122

Summary: python-cairosvg new security issue CVE-2021-21236
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-cairosvg-2.5.0-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2021-01-16 16:13:57 CET 
Fedora has issued an advisory today (January 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZYQNE2UJNCSEEEDLGJYUKRL2VS6EM36S/

Upstream advisory with the CVE from January 8:
https://github.com/advisories/GHSA-hq37-853p-g5cf

More info here:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21236
https://ubuntu.com/security/CVE-2021-21236

The issue is fixed upstream in 2.5.1.

Mageia 7 is also affected.
David Walser 2021-01-16 16:14:16 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 2.5.1

Comment 1 Nicolas Lécureuil 2021-01-16 21:42:25 CET 
Freeze push asked for cauldron.

CC: (none) => mageia

Comment 2 David Walser 2021-01-17 05:43:15 CET 
python-cairosvg-2.5.1-1.mga8 uploaded for Cauldron.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 3 Aurelien Oudelet 2021-01-18 22:09:03 CET 
Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => pkg-bugs

Nicolas Lécureuil 2021-03-11 17:15:10 CET

Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 2.5.1 => (none)

Comment 4 Nicolas Lécureuil 2021-03-11 17:15:33 CET 
fixed in mga7:

src:
   - python-cairosvg-2.2.1-1.1.mga7
Comment 5 David Walser 2021-03-12 20:42:45 CET 
RPMs:
cairosvg-2.2.1-1.1.mga7
python3-cairosvg-2.2.1-1.1.mga7
Comment 6 Len Lawrence 2021-03-12 22:59:16 CET 
mga7, x64

Installed the release version and dependencies.
  cairosvg-2.2.1-1.mga7.noarch

  python3-atomicwrites           1.3.0        1.mga7        noarch  
  python3-cairocffi              0.9.0        1.mga7        noarch  
  python3-cairosvg               2.2.1        1.mga7        noarch  
  python3-coverage               4.5.2        3.mga7        x86_64  
  python3-cssselect2             0.2.1        1.mga7        noarch  
  python3-defusedxml             0.5.0        5.mga7        noarch  
  python3-more-itertools         5.0.0        2.mga7        noarch  
  python3-pluggy                 0.9.0        1.mga7        noarch  
  python3-pytest                 4.4.1        1.mga7        noarch  
  python3-pytest-cov             2.6.1        1.mga7        noarch  
  python3-pytest-runner          4.2          1.mga7        noarch  
  python3-tinycss2               0.6.1        1.mga7        noarch  

Quick test:
$ cairosvg -f png -o clock.png BenBois_Clock.svg
$ display clock.png
That looks good.

Shall wait for more details before proceeding.

https://www.cvebase.com/cve/2021/21236
Exploits for CVE-2021-21236 are not publicly available.

Should be able to go ahead with functionality tests later after updating.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2021-03-13 11:09:02 CET 
Updated cairosvg:
- cairosvg-2.2.1-1.1.mga7.noarch
- python3-cairosvg-2.2.1-1.1.mga7.noarch

$ cairosvg -v
2.2.1
$ rm clock.png
$ cairosvg -f png -o clock.png BenBois_Clock.svg
$ display clock.png
$ identify BenBois_Clock.svg 
BenBois_Clock.svg SVG 410x416 410x416+0+0 16-bit sRGB 56381B 0.000u 0:00.116
$ cairosvg -f pdf -s 2.0 -o clock.pdf BenBois_Clock.svg
$ xpdf clock.pdf
An enlarged image was displayed in a single page PDF.

$ cairosvg -f svg --output-width 800 -o clock.svg BenBois_Clock.svg
That displayed as a circular clock-face approximately double the size of the original.
$ cairosvg -f svg --output-width 800 --output-height 600 -o squashed_clock.svg BenBois_Clock.svg
Displayed as a circular clockface with the bottom quarter clipped.
$ xdpyinfo | grep resolution
  resolution:    162x161 dots per inch
$ cairosvg -f ps -d 81 -o bigclock.ps BenBois_Clock.svg
$ gs bigclock.ps
That displayed an enlarged version of the original image, close to double-size in both dimensions.

Working as designed.
Needs an advisory - can be copied from the CVE link I would guess.
Comment 8 Len Lawrence 2021-03-13 11:25:09 CET 
Addendum to comment 7.
$ strace -o cairo.trace cairosvg -f ps -d 81 -o bigclock.ps BenBois_Clock.svg
$ grep cairo cairo.trace | grep python
....
stat("/usr/lib/python3.7/site-packages/cairosvg/__main__.py", {st_mode=S_IFREG|0644, st_size=3199, ...}) = 0
openat(AT_FDCWD, "/usr/lib/python3.7/site-packages/cairosvg/__pycache__/__main__.cpython-37.pyc", O_RDONLY|O_CLOEXEC) = 3

BenBois_clock.svg is available from Wikimedia Commons.
Comment 9 David Walser 2021-03-14 15:45:52 CET 
Advisory:
========================

Updated python-cairosvg packages fix security vulnerability:

When processing SVG files, the python package CairoSVG uses two regular
expressions which are vulnerable to Regular Expression Denial of Service
(REDoS). If an attacker provides a malicious SVG, it can make cairosvg get
stuck processing the file for a very long time (CVE-2021-21236).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21236
https://github.com/advisories/GHSA-hq37-853p-g5cf
Len Lawrence 2021-03-19 09:17:42 CET

Whiteboard: (none) => MGA7-64-OK

Comment 10 Thomas Andrews 2021-03-19 15:36:03 CET 
Validating. Advisory in Comment 9.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2021-03-21 10:46:11 CET

Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-03-21 11:45:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0149.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED