Описание
Regular Expression Denial of Service in CairoSVG
Doyensec Vulnerability Advisory
- Regular Expression Denial of Service (REDoS) in cairosvg
- Affected Product: CairoSVG v2.0.0+
- Vendor: https://github.com/Kozea
- Severity: Medium
- Vulnerability Class: Denial of Service
- Author(s): Ben Caller (Doyensec)
Summary
When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.
Technical description
The vulnerable regular expressions are
The section between 'rgb(' and the final ')' contains multiple overlapping groups.
Since all three infinitely repeating groups accept spaces, a long string of spaces causes catastrophic backtracking when it is not followed by a closing parenthesis.
The complexity is cubic, so doubling the length of the malicious string of spaces makes processing take 8 times as long.
Reproduction steps
Create a malicious SVG of the form:
with the following code:
Note that there is no closing parenthesis before the semi-colon.
Run cairosvg e.g.:
and notice that it hangs at 100% CPU. Increasing the number of spaces increases the processing time with cubic complexity.
Remediation
Fix the regexes to avoid overlapping parts. Perhaps remove the [ \n\r\t]* groups from the regex, and use .strip() on the returned capture group.
Disclosure timeline
- 2020-12-30: Vulnerability disclosed via email to CourtBouillon
Ссылки
- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
- https://nvd.nist.gov/vuln/detail/CVE-2021-21236
- https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3
- https://github.com/Kozea/CairoSVG/releases/tag/2.5.1
- https://github.com/pypa/advisory-database/tree/main/vulns/cairosvg/PYSEC-2021-5.yaml
- https://pypi.org/project/CairoSVG
Пакеты
CairoSVG
< 2.5.1
2.5.1
Связанные уязвимости
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.
CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter base ...
