Bug 8624 - inkscape new security issue CVE-2012-5656
Summary: inkscape new security issue CVE-2012-5656
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/531755/
Whiteboard: has_procedure mga2-64-OK mga2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-01-07 21:26 CET by David Walser
Modified: 2013-01-30 20:25 CET (History)
3 users (show)

See Also:
Source RPM: inkscape-0.48.3.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments
PoC (623 bytes, image/svg+xml)
2013-01-08 12:08 CET, claire robinson
Details

Description David Walser 2013-01-07 21:26:25 CET
Fedora has issued an advisory on December 19:
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095380.html

The issue was fixed upstream in 0.48.4 (which we have in Cauldron).

The upstream change to fix this is linked in the RedHat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=888249
David Walser 2013-01-07 21:26:31 CET

CC: (none) => fundawang

Comment 1 claire robinson 2013-01-08 12:08:30 CET
Created attachment 3338 [details]
PoC

From https://bugs.launchpad.net/inkscape/+bug/1025185

inkscape -e xxe-inkscape.png xxe.svg
claire robinson 2013-01-08 12:12:49 CET

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2013-01-10 19:47:23 CET
If we wanted to patch it, it's not as simple as rediffing the upstream change, as the code has changed quite a bit.  We probably need to just upgrade it to 0.48.4.
Comment 3 David Walser 2013-01-10 22:21:46 CET
Updated package uploaded for Mageia 2.

Advisory:
========================

Updated inkscape package fixes security vulnerability:

An XML eXternal Entity (XXE) flaw was found in the way Inkscape before 0.48.4
performed rasterization of certain SVG images. A remote attacker could
provide a specially-crafted SVG image that, when opened in inkscape would
lead to arbitrary local file disclosure or denial of service (CVE-2012-5656).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5656
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/095380.html
========================

Updated packages in core/updates_testing:
========================
inkscape-0.48.4-1.mga2

from inkscape-0.48.4-1.mga2.src.rpm

Assignee: fundawang => qa-bugs

Comment 4 claire robinson 2013-01-11 13:48:50 CET
Testing complete mga2 64

Before, green square with /etc/passwd in it. After, green square without.

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 5 claire robinson 2013-01-11 13:55:36 CET
Testing complete mga2 32

Validating

Advisory & srpm in comment 3

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Comment 6 Thomas Backlund 2013-01-14 22:29:00 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0006

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 7 David Walser 2013-01-30 20:25:10 CET
Ubuntu has issued an advisory today (January 30):
http://www.ubuntu.com/usn/usn-1712-1/

It fixes this issue as well as CVE-2012-6076.

According to Ubuntu, CVE-2012-6076 was also fixed in 0.48.4, so we're good.

from http://lwn.net/Vulnerabilities/535218/

Note You need to log in before you can comment on or make changes to this bug.