OpenSuSE has issued an advisory on November 29: http://lists.opensuse.org/opensuse-updates/2013-11/msg00114.html The issue was fixed upstream in 2.39.0 according to the CVE entry, so we should be OK in Cauldron. The OpenSuSE 12.3 update contains a patch for 2.36.4, the same version we have in Mageia 3. However, I could have just pushed it with this patch myself, but it sounds like it is causing regressions according to the comments in the Novell bug: https://bugzilla.novell.com/show_bug.cgi?id=840753 So I'll assign this to Olav for further review. Reproducible: Steps to Reproduce:
CC'ing José as he's marked as maintainer of this package.
CC: (none) => lists.jjorge
OK, so the regression was because a change in gtk+3.0 was needed to cope with the security hardening in librsvg. OpenSuSE released a gtk+3.0 update to fix this. Their update for 12.3 is also the same gtk+3.0 version we have, so I've pulled their patches for both librsvg and gtk+3.0. Patched packages uploaded for Mageia 3. Advisory: ======================== Updated librsvg packages fix security vulnerability: librsvg before version 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference (CVE-2013-1881). gtk+3.0 has been patched to cope with the changes in SVG loading due to the fix in librsvg. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1881 http://lists.opensuse.org/opensuse-updates/2013-11/msg00114.html ======================== Updated packages in core/updates_testing: ======================== librsvg-2.36.4-2.1.mga3 librsvg2_2-2.36.4-2.1.mga3 librsvg2-devel-2.36.4-2.1.mga3 librsvg-gir2.0-2.36.4-2.1.mga3 gtk+3.0-3.6.4-1.1.mga3 libgtk+3_0-3.6.4-1.1.mga3 libgtk-gir3.0-3.6.4-1.1.mga3 libgtk+3.0-devel-3.6.4-1.1.mga3 libgail3_0-3.6.4-1.1.mga3 libgail3.0-devel-3.6.4-1.1.mga3 from SRPMS: librsvg-2.36.4-2.1.mga3.src.rpm gtk+3.0-3.6.4-1.1.mga3.src.rpm
CC: (none) => olavAssignee: olav => qa-bugs
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
Just testing that eog can view svg images with the updates installed. When installing in gtk_3.0 in Mageia 3 x86_64, I get a warning ... 1/3: gtk+3.0 ################################################################################################## 2/3: lib64gtk+3_0 ################################################################################################## 3/3: lib64gtk-gir3.0 ################################################################################################## 1/3: removing lib64gtk-gir3.0-3.6.4-1.mga3.x86_64 ################################################################################################## 2/3: removing gtk+3.0-3.6.4-1.mga3.x86_64 ################################################################################################## 3/3: removing lib64gtk+3_0-3.6.4-1.mga3.x86_64 ################################################################################################## warning: undefined reference to <schema id='org.gnome.settings-daemon.plugins.updates'/> Viewing svg (and other) images in eog is working though. Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 11853.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0004.html
CC: (none) => tmb
closing
Status: NEW => RESOLVEDResolution: (none) => FIXED