Bug 977985 - (CVE-2015-7558) VUL-1: CVE-2015-7558: librsvg2: DoS parsing SVGs with circular definitions in certain rsvg_cairo_*() functions
(CVE-2015-7558)
VUL-1: CVE-2015-7558: librsvg2: DoS parsing SVGs with circular definitions in...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/168410/
CVSSv2:RedHat:CVE-2016-4347:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-02 07:58 UTC by Sebastian Krahmer
Modified: 2020-05-12 17:51 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
circular-1.svg (1.41 KB, application/octet-stream)
2020-01-14 16:44 UTC, Wolfgang Frisch
Details
circular-2.svg (2.23 KB, application/octet-stream)
2020-01-14 16:45 UTC, Wolfgang Frisch
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Federico Mena Quintero 2016-05-25 23:53:07 UTC
The fixes have been in place since librsvg-2.40.12.  These days we can simply update to 2.40.15, which has a bunch of additional fixes.
Comment 3 Federico Mena Quintero 2016-06-20 16:44:28 UTC
We have very old versions of librsvg in our old distros (SLE-10-SP2 has 2.12.7, which is from before 2005!).

I'll see if it is possible to patch all the library source files to update them to the latest version; there is plenty of new code to deal with malicious SVG files.

There are some things that got removed in librsvg since that version (the GTK+ theme engine which practically no one was using, anyway), and it requires a new version of gdk-pixbuf.  I'll see what can be made to work.
Comment 4 Federico Mena Quintero 2016-10-14 17:19:43 UTC
I have a repository for the backports to librsvg-2.26.0 here:
https://gitlab.suse.de/federico-mena/librsvg/tree/suse-2.26.0-to-2.40.16

This is the codebase for 2.40.16 backported to 2.26.0, and adjusted to work with GTK2 (the new version uses GTK3).  This takes care of the CVEs.

It builds out of git, but I'm having trouble with the RPM.  I'll keep working on this.
Comment 5 Federico Mena Quintero 2017-01-11 00:48:01 UTC
Submitted to SUSE:SLE-11-SP1:Update with id 126310.

Submitted to SUSE:SLE-11:Update with id 126411.
Comment 6 Johannes Segitz 2017-01-11 12:43:10 UTC
CVE was rejected:
**  DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2015-7558.
Reason: This candidate is a reservation duplicate of CVE-2015-7558.  Notes: All CVE users should reference CVE-2015-7558 instead of this candidate.
Comment 7 Federico Mena Quintero 2017-01-11 20:52:33 UTC
(In reply to Johannes Segitz from comment #6)
> CVE was rejected:
> **  DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2015-7558.
> Reason: This candidate is a reservation duplicate of CVE-2015-7558.  Notes:
> All CVE users should reference CVE-2015-7558 instead of this candidate.

Ah, okay.  I just re-submitted to SUSE:SLE-11-SP1:Update with id 126449.  This one references CVE-2015-7558 and CVE-2016-6163.
Comment 8 Wolfgang Frisch 2020-01-14 16:44:33 UTC
Created attachment 827536 [details]
circular-1.svg

Reproducer #1
Comment 10 Wolfgang Frisch 2020-01-14 16:45:10 UTC
Created attachment 827537 [details]
circular-2.svg

Reproducer #2