oss-sec mailing list archives
Re: Browsing and attaching images considered harmful in Linux
From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 6 Jul 2016 11:01:13 +0200
Hi On Mon, Jul 04, 2016 at 09:13:05PM +0200, Gustavo Grieco wrote:
Fortunately, this issue is already solved in the last revision of librsvg2 (AFAIK, this issue has no CVE, so please MITRE assign one if suitable). Nevertheless, I reported such vulnerability to Mozilla more than a month ago hoping that they will disable the svg support in the open/attach widget. After some discussion, it was marked as WONTFIX. While i understand why, i still feel it can be productive to discuss this here.
If I correctly bisected with the reproducer, then the fix should be around https://git.gnome.org/browse/librsvg/commit/?id=0035e95118a60c0cd3949c2300472d805e16a022 (2.40.7). If anyone can confirm that would be great. Regards, Salvatore
Current thread:
- Browsing and attaching images considered harmful in Linux Gustavo Grieco (Jul 04)
- Re: Browsing and attaching images considered harmful in Linux cve-assign (Jul 05)
- Re: Browsing and attaching images considered harmful in Linux Gustavo Grieco (Jul 06)
- Re: Browsing and attaching images considered harmful in Linux Salvatore Bonaccorso (Jul 06)
- Re: Browsing and attaching images considered harmful in Linux cve-assign (Jul 05)