| Summary: | librsvg new security issue CVE-2021-25900 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, ouaurelien, rverschelde, sysadmin-bugs, tarazed25 |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | librsvg-2.45.5-3.1.mga7.src.rpm | CVE: | CVE-2021-25900 |
| Status comment: | |||
|
Description
David Walser
2021-05-30 23:43:17 CEST
David Walser
2021-05-30 23:43:27 CEST
Whiteboard:
(none) =>
MGA7TOO SUSE has issued an advisory on April 23: https://lists.suse.com/pipermail/sle-security-updates/2021-April/008674.html It appears to be a variation of the same thing for older versions. Summary:
librsvg new security issue CVE-2021-25900 =>
librsvg new security issue CVE-2018-20991 / CVE-2021-25900 If the issue is resolved in smallvec 0.6.1, then neither Mageia 8 nor Mageia 7 should be affected by this issue. SUSE just had outdated versions of librsvg. Mageia 8 (librsvg 2.50.3): [[package]] name = "smallvec" version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fe0f37c9e8f3c5a4a66ad655a93c74daac4ad00c441533bf5c6e7990bb42604e" Mageia 7 (librsvg : [[package]] name = "smallvec" version = "0.6.6" source = "registry+https://github.com/rust-lang/crates.io-index" dependencies = [ "unreachable 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", ] CC:
(none) =>
rverschelde The openSUSE advisory was bogus, the CVE is clearer: https://nvd.nist.gov/vuln/detail/CVE-2021-25900 > An issue was discovered in the smallvec crate before 0.6.14 and 1.x before > 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many. So only Mageia 7 is affected (0.6.3 < 0.6.6 < 0.6.14). Mageia 8 already has the fixed version. Whiteboard:
MGA7TOO =>
(none) Thanks, I have no idea how you checked that. So only CVE-2021-25900 is relevant. CVE-2018-20991 was fixed before Mageia 7. I checked the Cargo.lock file in the source tarball which documents which versions of crates should be used. I made a tentative fix for Mageia 7 backporting the rust-smallvec patch to the vendored librsvg crate. I couldn't test locally as we don't have libcroco-0.6 on Cauldron anymore, and the buildsystem seems to be stuck since 15 hours, so we'll know later if that worked :) http://svnweb.mageia.org/packages?view=revision&revision=1729190 Assignee:
bugsquad =>
rverschelde Confirmed that CVE-2018-20991 only affects smallvec < 0.6.3 so we're good. https://nvd.nist.gov/vuln/detail/CVE-2018-20991 Summary:
librsvg new security issue CVE-2018-20991 / CVE-2021-25900 =>
librsvg new security issue CVE-2021-25900 Seems to have worked after a tweak to Cargo.toml. For interested packagers, when patching vendored Rust crates, you need to add a `[patch]` section in the main `Cargo.toml` to specify that a patched version is used (otherwise cargo will refuse building the modified crate as its hash doesn't match what is expected from the original): http://svnweb.mageia.org/packages/updates/7/librsvg/current/SOURCES/0001-smallvec-Include-fix-for-CVE-2021-25900.patch?view=markup&pathrev=1729265 Advisory: ========= Updated librsvg packages fix security vulnerability This update patches the vendored `smallvec` Rust crate in librsvg to fix a security vulnerability: The Iterator implementation mishandles destructors, leading to a double free (CVE-2021-25900). References: - https://nvd.nist.gov/vuln/detail/CVE-2018-20991 - https://github.com/servo/rust-smallvec/commit/5757ac500d4e544485d796b542e4e589749c291b SRPM in core/updates_testing: ============================= librsvg-2.45.5-3.2.mga7 RPMs in core/updates_testing: ============================= librsvg-2.45.5-3.2.mga7 lib64rsvg2_2-2.45.5-3.2.mga7 lib64rsvg2-devel-2.45.5-3.2.mga7 lib64rsvg-gir2.0-2.45.5-3.2.mga7 Assignee:
rverschelde =>
qa-bugs mga7, x64 No PoC evident so straight into updates. $ rpm -qa | grep rsvg lib64rsvg2_2-2.45.5-3.2.mga7 lib64rsvg-gir2.0-2.45.5-3.2.mga7 lib64rsvg2-devel-2.45.5-3.2.mga7 librsvg-2.45.5-3.2.mga7 Installed tuxpaint and played about with it. The image was saved in ~/.tuxpaint/saved/20210604182908.png $ strace -o tuxpaint.trace tuxpaint $ grep rsvg tuxpaint.trace openat(AT_FDCWD, "/lib64/librsvg-2.so.2", O_RDONLY|O_CLOEXEC) = 3 Restarted tuxpaint; it showed the last newbie picture. Launched mate-system-monitor under strace: $ grep rsvg matemonitor | less openat(AT_FDCWD, "/lib64/librsvg-2.so.2", O_RDONLY|O_CLOEXEC) = 3 .... read(13, "/librsvg-2.so.2.46.0 (deleted)\nS"..., 1024) = 1024 .... read(13, "ib64/librsvg-2.so.2.46.0\nSize: "..., 1024) = 1024 Other packages which use these libraries are vlc-plugin-common, pix, mate-panel, emacs, eom, .... Tried out pix - an image viewer and video player - OK. Using emacs to write this report. eom works. Whiteboard:
(none) =>
MGA7-64-OK Validated. Advisory in Comment 7. Keywords:
(none) =>
validated_update
Aurelien Oudelet
2021-06-07 09:33:04 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0234.html Status:
NEW =>
RESOLVED |