Fedora has issued an advisory on March 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5HDBMOMLE6GFKXPLKIWFWM2Q6V4DQKXP/ The issue is fixed upstream in 2.7.0: https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.7.0
Suggested advisory: ======================== The updated packages fix a security vulnerability: CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability to access other files online by default. (CVE-2023-27586) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27586 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5HDBMOMLE6GFKXPLKIWFWM2Q6V4DQKXP/ https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv ======================== Updated packages in core/updates_testing: ======================== cairosvg-2.5.1-1.2.mga8 python3-cairosvg-2.5.1-1.2.mga8 from SRPM: python-cairosvg-2.5.1-1.2.mga8.src.rpm
Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 2.7.0 => (none)CVE: (none) => CVE-2023-27586Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroVersion: Cauldron => 8Assignee: bugsquad => qa-bugs
Mageia8, x86_64 There are three possible exploits for this so it seemed worthwhile to follow them up. https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv Created the three malicious SVG files and ran the server under python. Before update: $ python -m cairosvg cairosvg_exploit_dos.svg -f png This hung, as expected and had to be killed. Ran the same command using the other two SVG PoC files and both crashed with a long string of errors. Updated the two candidates and ran those tests again. $ python -m cairosvg cairosvg_exploit_dos.svg -f png �PNG � IHDR��>a�bKGD�������VIDATx���1 �Om ��o�>c�IEND�B`� $ python -m cairosvg cairosvg_exploit_2.svg -f png �PNG � IHDR��>a�bKGD�������VIDATx���1 �Om ��o�>c�IEND�B`� $ python -m cairosvg cairosvg_exploit.svg -f png �PNG � IHDR��>a�bKGD�������VIDATx���1 �Om ��o�>c�IEND�B`� $ Looks like the vulnerabilities are being handled tidily. Could not find anything that uses this module so used the test command against a stock image file to generate a PNG. $ python -m cairosvg BenBois_Clock.svg -f png > BenBois_Clock.png $ eom BenBois_Clock.png showed a perfect copy of the original clock. This will have to do.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
I believe you, Len :)
Keywords: (none) => validated_updateCC: (none) => fri, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0126.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED