openSUSE has issued an advisory on May 1: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJTKYUPH7JWPY376WTC427MFFFZQ7U7L/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
SUSE has issued an advisory on April 23: https://lists.suse.com/pipermail/sle-security-updates/2021-April/008674.html It appears to be a variation of the same thing for older versions.
Summary: librsvg new security issue CVE-2021-25900 => librsvg new security issue CVE-2018-20991 / CVE-2021-25900
If the issue is resolved in smallvec 0.6.1, then neither Mageia 8 nor Mageia 7 should be affected by this issue. SUSE just had outdated versions of librsvg. Mageia 8 (librsvg 2.50.3): [[package]] name = "smallvec" version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fe0f37c9e8f3c5a4a66ad655a93c74daac4ad00c441533bf5c6e7990bb42604e" Mageia 7 (librsvg : [[package]] name = "smallvec" version = "0.6.6" source = "registry+https://github.com/rust-lang/crates.io-index" dependencies = [ "unreachable 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)", ]
CC: (none) => rverschelde
The openSUSE advisory was bogus, the CVE is clearer: https://nvd.nist.gov/vuln/detail/CVE-2021-25900 > An issue was discovered in the smallvec crate before 0.6.14 and 1.x before > 1.6.1 for Rust. There is a heap-based buffer overflow in SmallVec::insert_many. So only Mageia 7 is affected (0.6.3 < 0.6.6 < 0.6.14). Mageia 8 already has the fixed version.
Whiteboard: MGA7TOO => (none)Source RPM: librsvg-2.50.2-2.mga8.src.rpm => librsvg-2.45.5-3.1.mga7.src.rpmVersion: 8 => 7
Thanks, I have no idea how you checked that. So only CVE-2021-25900 is relevant. CVE-2018-20991 was fixed before Mageia 7.
I checked the Cargo.lock file in the source tarball which documents which versions of crates should be used. I made a tentative fix for Mageia 7 backporting the rust-smallvec patch to the vendored librsvg crate. I couldn't test locally as we don't have libcroco-0.6 on Cauldron anymore, and the buildsystem seems to be stuck since 15 hours, so we'll know later if that worked :) http://svnweb.mageia.org/packages?view=revision&revision=1729190
Assignee: bugsquad => rverschelde
Confirmed that CVE-2018-20991 only affects smallvec < 0.6.3 so we're good. https://nvd.nist.gov/vuln/detail/CVE-2018-20991
Summary: librsvg new security issue CVE-2018-20991 / CVE-2021-25900 => librsvg new security issue CVE-2021-25900
Seems to have worked after a tweak to Cargo.toml. For interested packagers, when patching vendored Rust crates, you need to add a `[patch]` section in the main `Cargo.toml` to specify that a patched version is used (otherwise cargo will refuse building the modified crate as its hash doesn't match what is expected from the original): http://svnweb.mageia.org/packages/updates/7/librsvg/current/SOURCES/0001-smallvec-Include-fix-for-CVE-2021-25900.patch?view=markup&pathrev=1729265 Advisory: ========= Updated librsvg packages fix security vulnerability This update patches the vendored `smallvec` Rust crate in librsvg to fix a security vulnerability: The Iterator implementation mishandles destructors, leading to a double free (CVE-2021-25900). References: - https://nvd.nist.gov/vuln/detail/CVE-2018-20991 - https://github.com/servo/rust-smallvec/commit/5757ac500d4e544485d796b542e4e589749c291b SRPM in core/updates_testing: ============================= librsvg-2.45.5-3.2.mga7 RPMs in core/updates_testing: ============================= librsvg-2.45.5-3.2.mga7 lib64rsvg2_2-2.45.5-3.2.mga7 lib64rsvg2-devel-2.45.5-3.2.mga7 lib64rsvg-gir2.0-2.45.5-3.2.mga7
Assignee: rverschelde => qa-bugs
mga7, x64 No PoC evident so straight into updates. $ rpm -qa | grep rsvg lib64rsvg2_2-2.45.5-3.2.mga7 lib64rsvg-gir2.0-2.45.5-3.2.mga7 lib64rsvg2-devel-2.45.5-3.2.mga7 librsvg-2.45.5-3.2.mga7 Installed tuxpaint and played about with it. The image was saved in ~/.tuxpaint/saved/20210604182908.png $ strace -o tuxpaint.trace tuxpaint $ grep rsvg tuxpaint.trace openat(AT_FDCWD, "/lib64/librsvg-2.so.2", O_RDONLY|O_CLOEXEC) = 3 Restarted tuxpaint; it showed the last newbie picture. Launched mate-system-monitor under strace: $ grep rsvg matemonitor | less openat(AT_FDCWD, "/lib64/librsvg-2.so.2", O_RDONLY|O_CLOEXEC) = 3 .... read(13, "/librsvg-2.so.2.46.0 (deleted)\nS"..., 1024) = 1024 .... read(13, "ib64/librsvg-2.so.2.46.0\nSize: "..., 1024) = 1024 Other packages which use these libraries are vlc-plugin-common, pix, mate-panel, emacs, eom, .... Tried out pix - an image viewer and video player - OK. Using emacs to write this report. eom works.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Validated. Advisory in Comment 7.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCVE: (none) => CVE-2021-25900CC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0234.html
Status: NEW => RESOLVEDResolution: (none) => FIXED