From NEWS: Version 2.40.7 - Bugs fixed from fuzz testing: #703102, #738050, #738169, #744270, #744299 - Fixed unfiled bug from fuzz testing, where the convolution filter had an integer multiplication overflow. - Fix build of rsvg-convert on Windows. - Fix a bunch of compiler warnings. Reproducible: Steps to Reproduce:
Blocks: (none) => 14674
Submitted 2.40.7 for Cauldron.
Mageia 4 has librsvg 2.39.0. It had that version as newer versions removed various functionality. From 2.40 NEWS: - Remove support for GTK+2 along with the old theme engine - Remove support for old versions of gdk-pixbuf If we push 2.40.7, it'll mean basically pushing those changes as well.
Cauldron is fixed. Need thoughts for Mageia 4.
Version: Cauldron => 4Blocks: 14674 => (none)
I guess we'll want to backport the fixes, or see if another distro does.
CC: (none) => luigiwalser
Yeah, we cant go breaking a stable release
CC: (none) => tmb
OK, I backported the security fixes. That was actually pretty easy. The updated packages are: librsvg-2.39.0-1.1.mga4 librsvg2_2-2.39.0-1.1.mga4 librsvg2-devel-2.39.0-1.1.mga4 librsvg-gir2.0-2.39.0-1.1.mga4 from librsvg-2.39.0-1.1.mga4.src.rpm bgo#744270 doesn't affect librsvg 2.39.0, that was from a regression in a later version. So, the NEWS section corresponding to what I backported is: - Bugs fixed from fuzz testing: #703102, #738050, #738169, #744299 - Fixed unfiled bug from fuzz testing, where the convolution filter had an integer multiplication overflow. The full commit messages are below. Olav, would you mind writing the advisory and assigning this to QA? commit 0035e95118a60c0cd3949c2300472d805e16a022 Author: Federico Mena Quintero <federico@gnome.org> Date: Wed Feb 11 10:48:52 2015 -0600 bgo#744299 - Ensure the type of pattern fallbacks Atte Kettunen's fuzz testing yielded an SVG with a pattern paint server that had an xlink:href to a *rect*, not to another patern. Since we were not checking type type of resolved nodes when applying pattern fallbacks, we were using a structure of the wrong type. Fixes https://bugzilla.gnome.org/show_bug.cgi?id=744299 Signed-off-by: Federico Mena Quintero <federico@gnome.org> rsvg-paint-server.c | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) commit 53c50caecc970aef91cf8e3f1fde919f848d6f0c Author: Federico Mena Quintero <federico@gnome.org> Date: Fri Feb 6 16:33:25 2015 -0600 Avoid overflow in gint multiplication In the convolution matrix filter code, we read the orderx and ordery for the convolution matrix. However, multiplying them as gints may overflow. Found by fuzz testing when orderx = ordery = 65536 Fuzz testing kindly provided by Atte Kettunen <attekett@gmail.com> From librsvg-fuzz case rsvgconvert-060-3ef-705-f72.svg Signed-off-by: Federico Mena Quintero <federico@gnome.org> rsvg-filter.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 8ee18b22ece0f869cb4e2e021c01138cbb8a0226 Author: Federico Mena Quintero <federico@gnome.org> Date: Fri Feb 6 11:51:01 2015 -0600 bgo#738169 - Avoid cycles while resolving paint server fallbacks If a chain of paint servers, defined through the xlink:href attribute, has a cycle, then we would loop infinitely while resolving the base paint server. We now use a tortoise-and-hare to detect cycles and stop appropriately. Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738169 Signed-off-by: Federico Mena Quintero <federico@gnome.org> rsvg-paint-server.c | 421 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 271 insertions(+), 150 deletions(-) commit 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Author: Federico Mena Quintero <federico@gnome.org> Date: Thu Feb 5 18:08:25 2015 -0600 bgo#738050 - Handle the case where a list of coordinate pairs has an odd number of elements Lists of points come in coordinate pairs, but we didn't have any checking for that. It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate of an x,y pair, that was in fact missing, leading to an out-of-bounds array read. In that case, we now reuse the last-known y coordinate. Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050 Signed-off-by: Federico Mena Quintero <federico@gnome.org> rsvg-shapes.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) commit 7803753d130da94db40c10cc75e98b9864dad620 Author: Federico Mena Quintero <federico@gnome.org> Date: Thu Feb 5 14:27:10 2015 -0600 bgo#703102 - Clip coordinates for rsvg_alpha_blt() in a more civilized fashion The source offsets were not being validated correctly, so we could easily do a read or write outside the bounds of the image surface. We now use a generic function to clip rectangles instead of doing it by hand. Fixes https://bugzilla.gnome.org/show_bug.cgi?id=703102 Signed-off-by: Federico Mena Quintero <federico@gnome.org> rsvg-filter.c | 115 ++++++++++++++++++++++++++-------------------------------- 1 file changed, 51 insertions(+), 64 deletions(-)
Updated librsvg packages fix security vulnerabilities: Atte Kettunen's fuzz testing found several vulnerabilities in librsvg: - Invalid memory access caused by incorrect handling of a pattern paint server with an xlink:href to a unexpected type (bug 744299) - Infinite loop in the handling of gradients (bug 738169) - Heap-buffer-overflow when there's a missing point in a point-list (bug 738050) - Out of bounds memory access when clipping (bug 703102) - Integer overflow in the convolution matrix filter code (commit 53c50c) References: https://bugzilla.gnome.org/show_bug.cgi?id=744299 https://bugzilla.gnome.org/show_bug.cgi?id=738169 https://bugzilla.gnome.org/show_bug.cgi?id=738050 https://bugzilla.gnome.org/show_bug.cgi?id=703102 https://git.gnome.org/browse/librsvg/commit/?id=53c50caecc970aef91cf8e3f1fde919f848d6f0c
Assignee: bugsquad => qa-bugs
Testing procedure: - update packages - download various .svg files into a directory - run: killall nautilus (it might remain in memory!!) - start nautilus and go to the directory with the various .svg files - determine if icons are shown for these files Think you could also try the following command: rsvg-view-3 (part of librsvg package)
Thanks Olav! Advisory in Comment 7. Package list in Comment 6. Test procedure in Comment 8.
CC: (none) => olavWhiteboard: (none) => has_procedure
Testing on Mageia 4x32 real hardware following procedure in comment 8 From current packages : --------------------- librsvg-2.39.0-1.mga4.i586 librsvg2_2-2.39.0-1.mga4.i586 With nautilus, went to a directory where I had extracted 4 .svg files. Icons were shown OK, rsvg-view-3 opened a window where I could see the graphics in svg files. To updated testing packages : --------------------------- librsvg-2.39.0-1.1.mga4 librsvg2_2-2.39.0-1.1.mga4 Nautilus OK rsvg-view-3 OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-32-OK
Apparently there are regressions: https://bugzilla.gnome.org/show_bug.cgi?id=745097 https://bugzilla.gnome.org/show_bug.cgi?id=745177 No news yet.
(In reply to Olav Vitters from comment #11) > Apparently there are regressions: > https://bugzilla.gnome.org/show_bug.cgi?id=745097 > https://bugzilla.gnome.org/show_bug.cgi?id=745177 > > No news yet. Does that affect this update? The commit listed in the second bug wasn't backported here. The first bug doesn't identify the responsible commit.
Regression was discovered just now. We should wait with the update I guess.
(In reply to Olav Vitters from comment #13) > Regression was discovered just now. We should wait with the update I guess. We should verify whether the regression affects this update.
Olav added another patch: https://git.gnome.org/browse/librsvg/commit/?id=f8019aaa9f785061285def07712b5cfcd7ab26aa Advisory: ======================== Updated librsvg packages fix security vulnerabilities: Atte Kettunen's fuzz testing found several vulnerabilities in librsvg: - Invalid memory access caused by incorrect handling of a pattern paint server with an xlink:href to a unexpected type (bgo#744299) - Infinite loop in the handling of gradients (bgo#738169) - Heap-buffer-overflow when there's a missing point in a point-list (bgo#738050) - Out of bounds memory access when clipping (bgo#703102) - Integer overflow in the convolution matrix filter code (commit 53c50c) - Fix double g_free() when processing stroke-dasharray (bgo#744688) References: https://bugzilla.gnome.org/show_bug.cgi?id=744299 https://bugzilla.gnome.org/show_bug.cgi?id=738169 https://bugzilla.gnome.org/show_bug.cgi?id=738050 https://bugzilla.gnome.org/show_bug.cgi?id=703102 https://bugzilla.gnome.org/show_bug.cgi?id=744299 https://git.gnome.org/browse/librsvg/commit/?id=53c50caecc970aef91cf8e3f1fde919f848d6f0c ======================== Updated packages in core/updates_testing: ======================== librsvg-2.39.0-1.2.mga4 librsvg2_2-2.39.0-1.2.mga4 librsvg2-devel-2.39.0-1.2.mga4 librsvg-gir2.0-2.39.0-1.2.mga4 from librsvg-2.39.0-1.2.mga4.src.rpm
Whiteboard: has_procedure MGA4-32-OK => has_procedure
(In reply to David Walser from comment #14) > (In reply to Olav Vitters from comment #13) > > Regression was discovered just now. We should wait with the update I guess. > > We should verify whether the regression affects this update. Regression was in head only. So did not and does NOT affect this update!
Fedora has issued an advisory for this on February 17: https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150536.html
URL: (none) => http://lwn.net/Vulnerabilities/635282/
(In reply to Olav Vitters from comment #16) > Regression was in head only. So did not and does NOT affect this update! That's what I figured. Thanks for the confirmation Olav! QA team: please proceed with the testing :o)
MGA4-32 on AcerD620 Xfce No installation issues, apart from the fact that rsg-view did not show up in the repository (I did update on it before starting the test). I created three svg files with LibreOffice Draw. I am not sure what Olav means by "icons". What I get, after installing nautilus: In thunar, I see the standard icons for svg files on each of the files. In nautilus I get miniatures of the contents of each file, thus three different "icons". Olav, if this is the result you expect, plse OK this test for MGA4-32.
CC: (none) => herman.viaene
On re-opening thunar, the miniatures are also shown, so the test should be OK
Whiteboard: has_procedure => has_procedure MGA4-32-OK
MGA4-64 on HP-Probook 6555b KDE. Installation is a bit of hit and miss, as three out of four packages are labeled as lib64....., but librsvg-2.39.0-1.2.mga4. and rsg-view is also missing here. After installing nautilus, this one shows the miniatures for the svg files, so test OK. However dolphin does not do that, even after rebooting the PC.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64 OK
seems to be little typo in whiteboard
Whiteboard: has_procedure MGA4-32-OK MGA4-64 OK => has_procedure MGA4-32-OK MGA4-64-OK
Advisory uploaded, validating. Please push to 4 core/updates.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure MGA4-32-OK MGA4-64-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0100.html
Status: NEW => RESOLVEDResolution: (none) => FIXED