oss-sec mailing list archives

Re: Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions

From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Sun, 15 May 2016 09:05:03 +0200

2016-05-11 0:36 GMT+02:00 Brian May <brian () linuxpenguins xyz>:

Just did a git bisect against the source. Assuming I got this right, the
following commits fixed the issue.


Thanks for taking the time to do the git bisect!

They affect the following functions:

* rsvg_cairo_pop_discrete_layer - rsvg_cairo_pop_render_stack -
rsvg_cairo_generate_mask: reproducible using circular-1.svg


Use CVE-2016-4347.


Fixed in:

commit a51919f7e1ca9c535390a746fbf6e28c8402dc61
Author: Benjamin Otte <otte () redhat com>
Date:   Wed Oct 7 08:45:37 2015 +0200

    rsvg: Add rsvg_acquire_node()

    This function does proper recursion checks when looking up resources
    from URLs and thereby helps avoiding infinite loops when cyclic
    references span multiple types of elements.



I think CVE-2016-4347 and CVE-2015-7558 (stack exhaustion due to
cyclic dependency, reported here:
http://www.openwall.com/lists/oss-security/2015/12/21/5) are in fact,
the same issue. This is probably my fault (sorry!).

MITRE: We should reject the the newly assigned one?

Regards,
Gustavo.

Current thread:

CVE requests: DoS in librsvg parsing SVGs with circular definitions Gustavo Grieco (Apr 28)
- Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions cve-assign (Apr 28)
  - Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions Gustavo Grieco (Apr 30)
  - Re: Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions Brian May (May 10)
    - Re: Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions Gustavo Grieco (May 15)
    - Re: Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions Adam Maris (Jun 06)
    - Re: CVE requests: DoS in librsvg parsing SVGs with circular definitions cve-assign (Jun 06)