Bug 8624

Summary: inkscape new security issue CVE-2012-5656
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: fundawang, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/531755/
Whiteboard: has_procedure mga2-64-OK mga2-32-OK
Source RPM: inkscape-0.48.3.1-1.mga2.src.rpm CVE:
Status comment:
Attachments: PoC

Description David Walser 2013-01-07 21:26:25 CET 
Fedora has issued an advisory on December 19:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095380.html

The issue was fixed upstream in 0.48.4 (which we have in Cauldron).

The upstream change to fix this is linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=888249
David Walser 2013-01-07 21:26:31 CET

CC: (none) => fundawang

Comment 1 claire robinson 2013-01-08 12:08:30 CET 
Created attachment 3338 [details]
PoC

From https://bugs.launchpad.net/inkscape/+bug/1025185

inkscape -e xxe-inkscape.png xxe.svg
claire robinson 2013-01-08 12:12:49 CET

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2013-01-10 19:47:23 CET 
If we wanted to patch it, it's not as simple as rediffing the upstream change, as the code has changed quite a bit.  We probably need to just upgrade it to 0.48.4.
Comment 3 David Walser 2013-01-10 22:21:46 CET 
Updated package uploaded for Mageia 2.

Advisory:
========================

Updated inkscape package fixes security vulnerability:

An XML eXternal Entity (XXE) flaw was found in the way Inkscape before 0.48.4
performed rasterization of certain SVG images. A remote attacker could
provide a specially-crafted SVG image that, when opened in inkscape would
lead to arbitrary local file disclosure or denial of service (CVE-2012-5656).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5656
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095380.html
========================

Updated packages in core/updates_testing:
========================
inkscape-0.48.4-1.mga2

from inkscape-0.48.4-1.mga2.src.rpm

Assignee: fundawang => qa-bugs

Comment 4 claire robinson 2013-01-11 13:48:50 CET 
Testing complete mga2 64

Before, green square with /etc/passwd in it. After, green square without.

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 5 claire robinson 2013-01-11 13:55:36 CET 
Testing complete mga2 32

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Comment 6 Thomas Backlund 2013-01-14 22:29:00 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0006

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 David Walser 2013-01-30 20:25:10 CET 
Ubuntu has issued an advisory today (January 30):
http://www.ubuntu.com/usn/usn-1712-1/

It fixes this issue as well as CVE-2012-6076.

According to Ubuntu, CVE-2012-6076 was also fixed in 0.48.4, so we're good.

from http://lwn.net/Vulnerabilities/535218/