exploitDog

SUSE-SU-2020:0604-1

Опубликовано: 06 мар. 2020

Источник: suse-cvrf

Описание

Security update for librsvg

This update for librsvg to version 2.40.21 fixes the following issues:

librsvg was updated to version 2.40.21 fixing the following issues:

CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document.
Fixed a stack exhaustion with circular references in elements.
Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG 'use' elements in malicious SVGs.

Список пакетов

Image SLES12-SP4-SAP-Azure-LI-BYOS-Production

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

Image SLES12-SP5-SAP-Azure-LI-BYOS-Production

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

SUSE Linux Enterprise Server 12 SP4

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

librsvg-2-2-32bit-2.40.21-5.9.1

rsvg-view-2.40.21-5.9.1

SUSE Linux Enterprise Server 12 SP5

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

librsvg-2-2-32bit-2.40.21-5.9.1

rsvg-view-2.40.21-5.9.1

SUSE Linux Enterprise Server for SAP Applications 12 SP4

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

librsvg-2-2-32bit-2.40.21-5.9.1

rsvg-view-2.40.21-5.9.1

SUSE Linux Enterprise Server for SAP Applications 12 SP5

gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

librsvg-2-2-2.40.21-5.9.1

librsvg-2-2-32bit-2.40.21-5.9.1

rsvg-view-2.40.21-5.9.1

SUSE Linux Enterprise Software Development Kit 12 SP4

librsvg-devel-2.40.21-5.9.1

typelib-1_0-Rsvg-2_0-2.40.21-5.9.1

SUSE Linux Enterprise Software Development Kit 12 SP5

librsvg-devel-2.40.21-5.9.1

typelib-1_0-Rsvg-2_0-2.40.21-5.9.1

Ссылки

https://www.suse.com/support/update/announcement/2020/suse-su-20200604-1/
Link for SUSE-SU-2020:0604-1
https://lists.suse.com/pipermail/sle-security-updates/2020-March/006583.html
E-Mail link for SUSE-SU-2020:0604-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1162501
SUSE Bug 1162501
https://www.suse.com/security/cve/CVE-2019-20446/
SUSE CVE CVE-2019-20446 page

Описание

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Затронутые продукты

Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:librsvg-2-2-2.40.21-5.9.1

Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:gdk-pixbuf-loader-rsvg-2.40.21-5.9.1

Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:librsvg-2-2-2.40.21-5.9.1

Ссылки

https://www.suse.com/security/cve/CVE-2019-20446.html
CVE-2019-20446
https://bugzilla.suse.com/1162501
SUSE Bug 1162501