17378 – librsvg new security issues CVE-2015-7557 and CVE-2015-7558

Bug 17378 - librsvg new security issues CVE-2015-7557 and CVE-2015-7558

Summary: librsvg new security issues CVE-2015-7557 and CVE-2015-7558

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/672076/
Whiteboard:	MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-12-21 21:30 CET by David Walser
Modified:	2016-05-11 17:54 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	librsvg-2.40.7-2.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-12-21 21:30:00 CET

Two security issues fixed in librsvg 2.40.12 were announced today (December 21):
http://openwall.com/lists/oss-security/2015/12/21/5

The upstream commit to fix the issues is also linked in the message above.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2016-01-12 19:16:03 CET

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated librsvg packages fix security vulnerabilities:

Out-of-bounds heap read in librsvg2 was found when parsing SVG file
(CVE-2015-7557).

Stack exhaustion due to cyclic dependency causing to crash an application was
found in librsvg2 while parsing SVG file (CVE-2015-7558).

The librsvg package has been updated to version 2.40.13, fixing these issues
and several other bugs.  See the upstream NEWS file for details.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7558
https://git.gnome.org/browse/librsvg/tree/NEWS?id=a12e7b90e7b9fa6a6a325f39fb409722b06a6735
http://openwall.com/lists/oss-security/2015/12/21/5
========================

Updated packages in core/updates_testing:
========================
librsvg-2.40.13-1.mga5
librsvg2_2-2.40.13-1.mga5
librsvg2-devel-2.40.13-1.mga5
librsvg-gir2.0-2.40.13-1.mga5

from librsvg-2.40.13-1.mga5.src.rpm

Assignee: olav => qa-bugs

Comment 2 Lewis Smith 2016-01-13 20:52:26 CET

Testing x64, with the update:
 librsvg-2.40.13-1.mga5
 lib64rsvg2_2-2.40.13-1.mga5
Tried various applications cited from # urpmq --whatrequires lib64rsvg2_2
 AbiWord: Able to import some SVG files, but not exotic 'active' ones.
 Eye of Gnome (eog): opened all SVG samples correctly.
 ImageMagic (display): same.
 xboard: worked OK, significance doubtful.
Some applications allegedly requiring these libraries did not seem to want to know about SVG at all, for which I do not blame the libraries. e.g. TuxPaint, Darktable.
Since nothing untoward happened, this update seems OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2016-01-14 04:36:12 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-01-15 02:53:23 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0021.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-01-15 19:57:01 CET

URL: (none) => http://lwn.net/Vulnerabilities/672076/

Comment 4 David Walser 2016-05-11 17:54:15 CEST

CVE-2016-4347 and CVE-2016-4348 were also fixed by this update (fixed in 2.40.12):
http://openwall.com/lists/oss-security/2016/05/10/15

The commits were actually on October 22.

Note You need to log in before you can comment on or make changes to this bug.