581948 – (CVE-2016-4347) <gnome-base/librsvg-2.40.15: two DoS

Bug 581948 (CVE-2016-4347) - <gnome-base/librsvg-2.40.15: two DoS

Summary: <gnome-base/librsvg-2.40.15: two DoS

Status:	RESOLVED FIXED

Alias:	CVE-2016-4347

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Duplicates (1):	582410 (view as bug list)
Depends on:
Blocks:

Reported:	2016-05-03 09:08 UTC by Agostino Sarubbo
Modified:	2017-01-09 13:50 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-05-03 09:08:00 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=1331725:

A denial of service flaw was found in the way the librsvg2 library parsed SVG files. A specially 
crafted SVG file with circular definitions could cause an application using librsvg2 to crash.

This flaw is in the _rsvg_css_normalize_font_size() function.

Reference (including reproducer):

http://seclists.org/oss-sec/2016/q2/161


From https://bugzilla.redhat.com/show_bug.cgi?id=1331724:

A denial of service flaw was found in the way the librsvg2 library parsed SVG files. A specially 
crafted SVG file with circular definitions could cause an application using librsvg2 to crash.

This flaw is in the rsvg_cairo_pop_discrete_layer(), rsvg_cairo_pop_render_stack(), and 
rsvg_cairo_generate_mask() functions.

Reference (including reproducer):

http://seclists.org/oss-sec/2016/q2/161


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Pacho Ramos gentoo-dev

2016-05-08 08:53:24 UTC

*** Bug 582410 has been marked as a duplicate of this bug. ***

Comment 2 Pacho Ramos gentoo-dev

2016-05-08 08:56:56 UTC

All should be solved in .15 version:
http://seclists.org/oss-sec/2016/q2/175

Comment 3 Jeroen Roovers (RETIRED) gentoo-dev

2016-05-09 04:34:46 UTC

Stable for HPPA PPC64.

Comment 4 Agostino Sarubbo gentoo-dev

2016-05-11 10:50:47 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2016-05-11 10:51:56 UTC

x86 stable

Comment 6 Markus Meier gentoo-dev

2016-05-12 17:20:43 UTC

arm stable

Comment 7 Tobias Klausmann (RETIRED) gentoo-dev

2016-05-20 19:29:59 UTC

Stable on alpha.

Comment 8 Agostino Sarubbo gentoo-dev

2016-07-08 07:57:29 UTC

ppc stable

Comment 9 Agostino Sarubbo gentoo-dev

2016-07-08 10:06:01 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2016-07-08 12:05:22 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 11 Aaron Bauman (RETIRED) gentoo-dev

2016-11-20 06:27:52 UTC

Please clean version 2.40.11 so we can close this.

GLSA Vote: No

Comment 12 Aaron Bauman (RETIRED) gentoo-dev

2016-12-27 09:17:30 UTC

Please clean vulnerable version from tree.

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-08 23:18:53 UTC

Cleanup PR: https://github.com/gentoo/gentoo/pull/3395

Comment 14 Mart Raudsepp gentoo-dev

2017-01-09 11:52:31 UTC

(In reply to Thomas Deutschmann from comment #13)
> Cleanup PR: https://github.com/gentoo/gentoo/pull/3395

Could have just poked me on IRC about it or something. PRs for removals are rather useless, especially for people who don't fully embrace GH workflow. I'd have to add a remote just for some git rm's, instead of just telling what to remove, of course that'd keep authorship, but...
Anyhow, removed now. Note that your PR failed to remove a now stale patch, so I ignored the PR, feel free to close that separately as obsolete or whatever is appropriate there.

Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-09 13:50:16 UTC

Cleanup via 3a8123f9e813cdc722aed971c6a8fdfea313e13c

@ Maintainer(s): Thank you!