Two security issues fixed in librsvg 2.40.12 were announced today (December 21): http://openwall.com/lists/oss-security/2015/12/21/5 The upstream commit to fix the issues is also linked in the message above. Reproducible: Steps to Reproduce:
Updated package uploaded for Mageia 5. Advisory: ======================== Updated librsvg packages fix security vulnerabilities: Out-of-bounds heap read in librsvg2 was found when parsing SVG file (CVE-2015-7557). Stack exhaustion due to cyclic dependency causing to crash an application was found in librsvg2 while parsing SVG file (CVE-2015-7558). The librsvg package has been updated to version 2.40.13, fixing these issues and several other bugs. See the upstream NEWS file for details. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7557 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7558 https://git.gnome.org/browse/librsvg/tree/NEWS?id=a12e7b90e7b9fa6a6a325f39fb409722b06a6735 http://openwall.com/lists/oss-security/2015/12/21/5 ======================== Updated packages in core/updates_testing: ======================== librsvg-2.40.13-1.mga5 librsvg2_2-2.40.13-1.mga5 librsvg2-devel-2.40.13-1.mga5 librsvg-gir2.0-2.40.13-1.mga5 from librsvg-2.40.13-1.mga5.src.rpm
Assignee: olav => qa-bugs
Testing x64, with the update: librsvg-2.40.13-1.mga5 lib64rsvg2_2-2.40.13-1.mga5 Tried various applications cited from # urpmq --whatrequires lib64rsvg2_2 AbiWord: Able to import some SVG files, but not exotic 'active' ones. Eye of Gnome (eog): opened all SVG samples correctly. ImageMagic (display): same. xboard: worked OK, significance doubtful. Some applications allegedly requiring these libraries did not seem to want to know about SVG at all, for which I do not blame the libraries. e.g. TuxPaint, Darktable. Since nothing untoward happened, this update seems OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0021.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/672076/
CVE-2016-4347 and CVE-2016-4348 were also fixed by this update (fixed in 2.40.12): http://openwall.com/lists/oss-security/2016/05/10/15 The commits were actually on October 22.