Upstream has released version 2.40.18 on July 20, fixing a security issue: https://mail.gnome.org/archives/ftp-release-list/2017-July/msg00078.html Fedora has issued an advisory for this on July 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HCJYK3EMB77XGUI2Y3UG6ECQX7YUBE4P/ Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => lists.jjorge
Updated packages uploaded for Mageia 5 and Mageia 6. Advisory: ======================== Updated librsvg packages fix security vulnerability: Division-by-zero in the Gaussian blur code (CVE-2017-11464). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11464 https://mail.gnome.org/archives/ftp-release-list/2017-July/msg00078.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HCJYK3EMB77XGUI2Y3UG6ECQX7YUBE4P/ ======================== Updated packages in core/updates_testing: ======================== librsvg-2.40.18-1.mga5 librsvg2_2-2.40.18-1.mga5 librsvg2-devel-2.40.18-1.mga5 librsvg-gir2.0-2.40.18-1.mga5 librsvg-2.40.18-1.mga6 librsvg2_2-2.40.18-1.mga6 librsvg2-devel-2.40.18-1.mga6 librsvg-gir2.0-2.40.18-1.mga6 from SRPMS: librsvg-2.40.18-1.mga5.src.rpm librsvg-2.40.18-1.mga6.src.rpm
Assignee: lists.jjorge => qa-bugs
Sadly the GNOME bug report is still flagged as restricted, so we can't check if there's a PoC to test against the update candidate. Doing basic regression testing thanks to the two utility binaries shipping in the main librsvg package: /usr/bin/rsvg-convert /usr/bin/rsvg-view-3 If you don't have SVGs to test with, you can download the Mageia logo: http://www.mageia.org/en/about/media/ $ rsvg-convert -f pdf -w 2400 -h 800 -b "#abcdef" mageia-2013.svg -o mageia-2013.pdf Gives me as expected a 2400x800 PDF of the Mageia logo with a teal background color. $ rsvg-view-3 -w 2400 -h 800 -b "#abcdef" Mageia/ToSort/mageia-2013.svg Allows to preview the same result as above. The window it spawns is ridiculously small though, you need to expand it to see the logo.
Whiteboard: MGA5TOO => has_procedure MGA5TOO MGA6-64-OK
Whiteboard: has_procedure MGA5TOO MGA6-64-OK => advisory has_procedure MGA5TOO MGA6-64-OK
$ uname -a Linux localhost 4.4.79-desktop-1.mga5 #1 SMP Fri Jul 28 02:50:06 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux $ rsvg-convert -v rsvg-convert version 2.40.18 $ rsvg-convert -f pdf -w 2400 -h 800 -b "#abcdef" mageia-2013.svg -o mageia-2013.pdf [brian@localhost Downloads]$ ls -ltr total 16576 -rw-rw-r-- 1 brian brian 25217 Aug 5 18:16 mageia-2013.svg -rw-r--r-- 1 brian brian 2649 Aug 5 18:17 mageia-2013.pdf [brian@localhost Downloads]$ evince mageia-2013.pdf it displays the logo properly The rsvg-view-3 worked as well $ rsvg-view-3 -v ** Message: rsvg-view version 2.40.18
Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK => advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-okCC: (none) => brtians1
$ uname -a Linux localhost 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux $ rsvg-convert -v rsvg-convert version 2.40.18 $ rsvg-convert -f pdf -w 2400 -h 800 -b "#abcdef" mageia-2013.svg -o mageia-2013.pdf $ evince mageia-2013.pdf it displays properly $ rsvg-view-3 -b "#abcdef" mageia-2013.svg that displays as well, you do have to expand the window $ rsvg-view-3 -v ** Message: rsvg-view version 2.40.18 works on 32 bit as well
Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok => advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok mga5-32-ok
Whiteboard: advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok mga5-32-ok => advisory has_procedure MGA5TOO MGA6-64-OK mga5-64-ok mga5-32-ok mga6-32-okKeywords: (none) => validated_updateCC: (none) => nathan95, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0247.html
Status: NEW => RESOLVEDResolution: (none) => FIXED