SUSE has issued an advisory today (March 6): http://lists.suse.com/pipermail/sle-security-updates/2020-March/006583.html
No registered nor evident maintainer, so assigning globally.
Assignee: bugsquad => pkg-bugs
CC: (none) => fri
openSUSE has issued an advisory for this on March 15: https://lists.opensuse.org/opensuse-updates/2020-03/msg00080.html
Status comment: (none) => Fixed upstream in 2.46.2, patch available from openSUSE
Suggested advisory: ======================== The updated packages fix a security vulnerability: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. (CVE-2019-20446) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20446 http://lists.suse.com/pipermail/sle-security-updates/2020-March/006583.html https://lists.opensuse.org/opensuse-updates/2020-03/msg00080.html ======================== Updated packages in core/updates_testing: ======================== librsvg-2.45.5-3.1.mga7 lib(64)rsvg2_2-2.45.5-3.1.mga7 lib(64)rsvg2-devel-2.45.5-3.1.mga7 lib(64)rsvg-gir2.0-2.45.5-3.1.mga7 from SRPMS: librsvg-2.45.5-3.1.mga7.src.rpm
CC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 2.46.2, patch available from openSUSE => (none)CVE: (none) => CVE-2019-20446Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Loaded svg image from https://dev.w3.org/SVG/tools/svgweb/samples/svg-files/ Ref bug 23206 for testing. $ rsvg-view-3 tiger.svg opens in small window, resizing it shows nice image. Right click on the image and save as png. Resulting png displays OK in gwenview. $ rsvg-convert -f pdf -h 720 -w 512 -b '#ebafdc' tiger.svg -o $ rsvg-convert -f pdf -h 720 -w 720 -b '#ebafdc' tiger.svg -o tiger.pdf Gives pdf file, looks good in Okular.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Adding the PoC test for what it is worth. CVE-2019-20446 https://gitlab.gnome.org/GNOME/librsvg/issues/515 sample 1: $ rsvg-convert -o foo.png nested-pattern-crash.svg Hangs forever. sample 2: $ rsvg-convert -o poc.png deep.svg Error reading SVG:XML parse error: Error domain 1 code 5 on line 5000023 column 1 of data: Extra content at the end of the document <returns after several seconds> After update: $ rsvg-convert -o foo.png nested-pattern-crash.svg Could not render file nested-pattern-crash.svg <returned immediately> $ rsvg-convert -o poc.png deep.svg Error reading SVG:XML parse error: Error domain 1 code 5 on line 5000023 column 1 of data: Extra content at the end of the document <returned almost immediately> Good result.
CC: (none) => tarazed25
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0159.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED