Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions

[Gustavo Grieco <gustavo.grieco () gmail com>]

2016-04-28 18:46 GMT+02:00 <cve-assign () mitre org>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Two DoS in librsvg 2.40.2 parsing SVGs with circular definitions were
> found
> > (they will produce stack exhaustion). Other versions can be vulnerable
> too.
>
> > these issues are solved in the last git revision of librsvg2
>
> Probably the best we can reasonably do here is assign separate CVE IDs
> to the separate reproducers. Are there any other details that might
> enable a wider set of readers to use your report for risk management?


This version of librsvg is still deployed in Ubuntu (trusty) and Debian
(wheezy). Imagemagick is using librsvg2 so a vulnerability there can affect
even when you receive an untrusted image.  Also, Evolution was rendering
SVG attached images:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=361540

(this bug is quite old and it is fixed, hopefully Evolution is not
rendering SVG images using librsvg now)



> 2.40.2 is apparently a version from late 2013. Is this related to
>
> https://git.gnome.org/browse/librsvg/commit/?id=8ee18b22ece0f869cb4e2e021c01138cbb8a0226
> (from 2015-02-06): "If a chain of paint servers, defined through the
> xlink:href attribute, has a cycle, then we would loop infinitely"?

Most likely yes. It is also related with CVE-2015-7558, which was fixed
here:

https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61

The only way to know for sure is to use git-bisect. I can only advise to
upgrade to 2.40.15 where all these issues are solved.


> > They affect the following functions:
>
> > * rsvg_cairo_pop_discrete_layer - rsvg_cairo_pop_render_stack -
> > rsvg_cairo_generate_mask: reproducible using circular-1.svg
>
> Use CVE-2016-4347.
>
>
> > * _rsvg_css_normalize_font_size: reproducible using circular-2.svg
>
> Use CVE-2016-4348.
>
> - --
> CVE Assignment Team
> M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
> [ A PGP key is available for encrypted communications at
>   http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJXIj3tAAoJEHb/MwWLVhi28asP/ind5vax8Ln+o2RusWj8E+LS
> Q/R1pAJgj20Duo6s23zx/iWicsyTudMMdeBQwhnpPbnDOvUtVUqn5jjtD2xTZkBG
> zKdKNw3QpJYYC4BSaNp3r+VVEuIlWiNlXYfmWu8hThzgRJL8HjQhQd9sE/WcA6xo
> XX5639p6TRA5leTIXPWHaQ8HxB/9cSufkTZ2nH4WTBJcwh45iKVczsPAh1nuabnF
> FmghWc83c9woO4ImKdDa+/wF/yaO2asrztAedtxCNDQQZTxZRtU7e/IcIbdW9VNU
> VM41OImZG8k8JzO0r7/Bg2XnRuVUvoJdK0pRNnS0LPfzDX38HCWlKZnKKFJkZjTT
> vQ+sErtM+I33NR+hc4o2wsMnzL8L0oln4q1zYepu0SLZaPTwDN6L6X/Gz1gKL4Zi
> Uxowp0OF+8nknnVlhnySHcOGr5tfjT+Q1RdtUmZie0vW+5m9iPubBUHFBLuC6GYF
> 5rp4JqaDFxHUVwX+gXz+jT8+O489ASVlb6NS2bPoC2K/aUl6MYcQygeIZky0GfdP
> 9OKoYWrUq2JUkzQMhI9FML0F64Pt4blZksSQ5tHa24xxMCRl/nkR4OEPIg/eMW1f
> D6hr+/mR9saLzv8pao0Qf+k+Kuig2R+7F8be673J8QXcowJX5/tHYQWbS7Ai0CAI
> v7jIqoYfMx9CP7ccozvg
> =hvLp
> -----END PGP SIGNATURE-----