Описание
Security update for librsvg
This update for librsvg to version 2.42.8 fixes the following issues:
librsvg was updated to version 2.42.8 fixing the following issues:
- CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document.
- Fixed a stack exhaustion with circular references in elements.
- Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG 'use' elements in malicious SVGs.
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.1
gdk-pixbuf-loader-rsvg-2.42.8-lp151.3.3.1
gdk-pixbuf-loader-rsvg-32bit-2.42.8-lp151.3.3.1
librsvg-2-2-2.42.8-lp151.3.3.1
librsvg-2-2-32bit-2.42.8-lp151.3.3.1
librsvg-devel-2.42.8-lp151.3.3.1
rsvg-thumbnailer-2.42.8-lp151.3.3.1
rsvg-view-2.42.8-lp151.3.3.1
typelib-1_0-Rsvg-2_0-2.42.8-lp151.3.3.1
Ссылки
- E-Mail link for openSUSE-SU-2020:0343-1
- SUSE Security Ratings
- SUSE Bug 1162501
- SUSE CVE CVE-2019-20446 page
Описание
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
Затронутые продукты
openSUSE Leap 15.1:gdk-pixbuf-loader-rsvg-2.42.8-lp151.3.3.1
openSUSE Leap 15.1:gdk-pixbuf-loader-rsvg-32bit-2.42.8-lp151.3.3.1
openSUSE Leap 15.1:librsvg-2-2-2.42.8-lp151.3.3.1
openSUSE Leap 15.1:librsvg-2-2-32bit-2.42.8-lp151.3.3.1
Ссылки
- CVE-2019-20446
- SUSE Bug 1162501