Mageia Bugzilla – Bug 8624
inkscape new security issue CVE-2012-5656
Last modified: 2013-01-30 20:25:10 CET
Fedora has issued an advisory on December 19:
The issue was fixed upstream in 0.48.4 (which we have in Cauldron).
The upstream change to fix this is linked in the RedHat bug:
Created attachment 3338 [details]
inkscape -e xxe-inkscape.png xxe.svg
If we wanted to patch it, it's not as simple as rediffing the upstream change, as the code has changed quite a bit. We probably need to just upgrade it to 0.48.4.
Updated package uploaded for Mageia 2.
Updated inkscape package fixes security vulnerability:
An XML eXternal Entity (XXE) flaw was found in the way Inkscape before 0.48.4
performed rasterization of certain SVG images. A remote attacker could
provide a specially-crafted SVG image that, when opened in inkscape would
lead to arbitrary local file disclosure or denial of service (CVE-2012-5656).
Updated packages in core/updates_testing:
Testing complete mga2 64
Before, green square with /etc/passwd in it. After, green square without.
Testing complete mga2 32
Advisory & srpm in comment 3
Could sysadmin please push from core/updates_testing to core/updates
Ubuntu has issued an advisory today (January 30):
It fixes this issue as well as CVE-2012-6076.
According to Ubuntu, CVE-2012-6076 was also fixed in 0.48.4, so we're good.