Freeze push asked for cauldron.

CC: (none) => mageia

python-cairosvg-2.5.1-1.mga8 uploaded for Cauldron.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Hi, thanks for reporting this.
As there is no maintainer for this package I added the committers in CC.

(Please set the status to 'assigned' if you are working on it)

CC: (none) => ouaurelien
Assignee: bugsquad => pkg-bugs

fixed in mga7:

src:
   - python-cairosvg-2.2.1-1.1.mga7

RPMs:
cairosvg-2.2.1-1.1.mga7
python3-cairosvg-2.2.1-1.1.mga7

mga7, x64

Installed the release version and dependencies.
  cairosvg-2.2.1-1.mga7.noarch

  python3-atomicwrites           1.3.0        1.mga7        noarch  
  python3-cairocffi              0.9.0        1.mga7        noarch  
  python3-cairosvg               2.2.1        1.mga7        noarch  
  python3-coverage               4.5.2        3.mga7        x86_64  
  python3-cssselect2             0.2.1        1.mga7        noarch  
  python3-defusedxml             0.5.0        5.mga7        noarch  
  python3-more-itertools         5.0.0        2.mga7        noarch  
  python3-pluggy                 0.9.0        1.mga7        noarch  
  python3-pytest                 4.4.1        1.mga7        noarch  
  python3-pytest-cov             2.6.1        1.mga7        noarch  
  python3-pytest-runner          4.2          1.mga7        noarch  
  python3-tinycss2               0.6.1        1.mga7        noarch  

Quick test:
$ cairosvg -f png -o clock.png BenBois_Clock.svg
$ display clock.png
That looks good.

Shall wait for more details before proceeding.

https://www.cvebase.com/cve/2021/21236
Exploits for CVE-2021-21236 are not publicly available.

Should be able to go ahead with functionality tests later after updating.

CC: (none) => tarazed25

Updated cairosvg:
- cairosvg-2.2.1-1.1.mga7.noarch
- python3-cairosvg-2.2.1-1.1.mga7.noarch

$ cairosvg -v
2.2.1
$ rm clock.png
$ cairosvg -f png -o clock.png BenBois_Clock.svg
$ display clock.png
$ identify BenBois_Clock.svg 
BenBois_Clock.svg SVG 410x416 410x416+0+0 16-bit sRGB 56381B 0.000u 0:00.116
$ cairosvg -f pdf -s 2.0 -o clock.pdf BenBois_Clock.svg
$ xpdf clock.pdf
An enlarged image was displayed in a single page PDF.

$ cairosvg -f svg --output-width 800 -o clock.svg BenBois_Clock.svg
That displayed as a circular clock-face approximately double the size of the original.
$ cairosvg -f svg --output-width 800 --output-height 600 -o squashed_clock.svg BenBois_Clock.svg
Displayed as a circular clockface with the bottom quarter clipped.
$ xdpyinfo | grep resolution
  resolution:    162x161 dots per inch
$ cairosvg -f ps -d 81 -o bigclock.ps BenBois_Clock.svg
$ gs bigclock.ps
That displayed an enlarged version of the original image, close to double-size in both dimensions.

Working as designed.
Needs an advisory - can be copied from the CVE link I would guess.

Addendum to comment 7.
$ strace -o cairo.trace cairosvg -f ps -d 81 -o bigclock.ps BenBois_Clock.svg
$ grep cairo cairo.trace | grep python
....
stat("/usr/lib/python3.7/site-packages/cairosvg/__main__.py", {st_mode=S_IFREG|0644, st_size=3199, ...}) = 0
openat(AT_FDCWD, "/usr/lib/python3.7/site-packages/cairosvg/__pycache__/__main__.cpython-37.pyc", O_RDONLY|O_CLOEXEC) = 3

BenBois_clock.svg is available from Wikimedia Commons.

Advisory:
========================

Updated python-cairosvg packages fix security vulnerability:

When processing SVG files, the python package CairoSVG uses two regular
expressions which are vulnerable to Regular Expression Denial of Service
(REDoS). If an attacker provides a malicious SVG, it can make cairosvg get
stuck processing the file for a very long time (CVE-2021-21236).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21236
https://github.com/advisories/GHSA-hq37-853p-g5cf

Validating. Advisory in Comment 9.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0149.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED