| Summary: | python-cairosvg new security issue CVE-2023-27586 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, fri, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | python-cairosvg-2.5.2-5.mga9.src.rpm | CVE: | CVE-2023-27586 |
| Status comment: | |||
|
Description
David Walser
2023-03-28 17:11:02 CEST
David Walser
2023-03-28 17:11:17 CEST
Whiteboard:
(none) =>
MGA8TOO Suggested advisory: ======================== The updated packages fix a security vulnerability: CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default. (CVE-2023-27586) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27586 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5HDBMOMLE6GFKXPLKIWFWM2Q6V4DQKXP/ https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv ======================== Updated packages in core/updates_testing: ======================== cairosvg-2.5.1-1.2.mga8 python3-cairosvg-2.5.1-1.2.mga8 from SRPM: python-cairosvg-2.5.1-1.2.mga8.src.rpm Status:
NEW =>
ASSIGNED Mageia8, x86_64 There are three possible exploits for this so it seemed worthwhile to follow them up. https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv Created the three malicious SVG files and ran the server under python. Before update: $ python -m cairosvg cairosvg_exploit_dos.svg -f png This hung, as expected and had to be killed. Ran the same command using the other two SVG PoC files and both crashed with a long string of errors. Updated the two candidates and ran those tests again. $ python -m cairosvg cairosvg_exploit_dos.svg -f png �PNG � IHDR��>a�bKGD�������VIDATx���1 �Om ��o�>c�IEND�B`� $ python -m cairosvg cairosvg_exploit_2.svg -f png �PNG � IHDR��>a�bKGD�������VIDATx���1 �Om ��o�>c�IEND�B`� $ python -m cairosvg cairosvg_exploit.svg -f png �PNG � IHDR��>a�bKGD�������VIDATx���1 �Om ��o�>c�IEND�B`� $ Looks like the vulnerabilities are being handled tidily. Could not find anything that uses this module so used the test command against a stock image file to generate a PNG. $ python -m cairosvg BenBois_Clock.svg -f png > BenBois_Clock.png $ eom BenBois_Clock.png showed a perfect copy of the original clock. This will have to do. Whiteboard:
(none) =>
MGA8-64-OK I believe you, Len :) Keywords:
(none) =>
validated_update
Dave Hodgins
2023-04-06 20:32:13 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0126.html Status:
ASSIGNED =>
RESOLVED |