Fedora has issued an advisory today (January 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZYQNE2UJNCSEEEDLGJYUKRL2VS6EM36S/ Upstream advisory with the CVE from January 8: https://github.com/advisories/GHSA-hq37-853p-g5cf More info here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21236 https://ubuntu.com/security/CVE-2021-21236 The issue is fixed upstream in 2.5.1. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 2.5.1
Freeze push asked for cauldron.
CC: (none) => mageia
python-cairosvg-2.5.1-1.mga8 uploaded for Cauldron.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Hi, thanks for reporting this. As there is no maintainer for this package I added the committers in CC. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienAssignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 2.5.1 => (none)
fixed in mga7: src: - python-cairosvg-2.2.1-1.1.mga7
RPMs: cairosvg-2.2.1-1.1.mga7 python3-cairosvg-2.2.1-1.1.mga7
mga7, x64 Installed the release version and dependencies. cairosvg-2.2.1-1.mga7.noarch python3-atomicwrites 1.3.0 1.mga7 noarch python3-cairocffi 0.9.0 1.mga7 noarch python3-cairosvg 2.2.1 1.mga7 noarch python3-coverage 4.5.2 3.mga7 x86_64 python3-cssselect2 0.2.1 1.mga7 noarch python3-defusedxml 0.5.0 5.mga7 noarch python3-more-itertools 5.0.0 2.mga7 noarch python3-pluggy 0.9.0 1.mga7 noarch python3-pytest 4.4.1 1.mga7 noarch python3-pytest-cov 2.6.1 1.mga7 noarch python3-pytest-runner 4.2 1.mga7 noarch python3-tinycss2 0.6.1 1.mga7 noarch Quick test: $ cairosvg -f png -o clock.png BenBois_Clock.svg $ display clock.png That looks good. Shall wait for more details before proceeding. https://www.cvebase.com/cve/2021/21236 Exploits for CVE-2021-21236 are not publicly available. Should be able to go ahead with functionality tests later after updating.
CC: (none) => tarazed25
Updated cairosvg: - cairosvg-2.2.1-1.1.mga7.noarch - python3-cairosvg-2.2.1-1.1.mga7.noarch $ cairosvg -v 2.2.1 $ rm clock.png $ cairosvg -f png -o clock.png BenBois_Clock.svg $ display clock.png $ identify BenBois_Clock.svg BenBois_Clock.svg SVG 410x416 410x416+0+0 16-bit sRGB 56381B 0.000u 0:00.116 $ cairosvg -f pdf -s 2.0 -o clock.pdf BenBois_Clock.svg $ xpdf clock.pdf An enlarged image was displayed in a single page PDF. $ cairosvg -f svg --output-width 800 -o clock.svg BenBois_Clock.svg That displayed as a circular clock-face approximately double the size of the original. $ cairosvg -f svg --output-width 800 --output-height 600 -o squashed_clock.svg BenBois_Clock.svg Displayed as a circular clockface with the bottom quarter clipped. $ xdpyinfo | grep resolution resolution: 162x161 dots per inch $ cairosvg -f ps -d 81 -o bigclock.ps BenBois_Clock.svg $ gs bigclock.ps That displayed an enlarged version of the original image, close to double-size in both dimensions. Working as designed. Needs an advisory - can be copied from the CVE link I would guess.
Addendum to comment 7. $ strace -o cairo.trace cairosvg -f ps -d 81 -o bigclock.ps BenBois_Clock.svg $ grep cairo cairo.trace | grep python .... stat("/usr/lib/python3.7/site-packages/cairosvg/__main__.py", {st_mode=S_IFREG|0644, st_size=3199, ...}) = 0 openat(AT_FDCWD, "/usr/lib/python3.7/site-packages/cairosvg/__pycache__/__main__.cpython-37.pyc", O_RDONLY|O_CLOEXEC) = 3 BenBois_clock.svg is available from Wikimedia Commons.
Advisory: ======================== Updated python-cairosvg packages fix security vulnerability: When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time (CVE-2021-21236). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21236 https://github.com/advisories/GHSA-hq37-853p-g5cf
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0149.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED