CVE-2018-1000041 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000041): GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows. @Maintainers please let us know the best way to handle this. Thank you
Patch: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea This is included in 2.41.2. @maintainer(s), please create an appropriate ebuild, and call for stabilization when ready.
Is 2.40.21 vulnerable or not? It included some important fixes for the non-rust version. Anything 2.41 and above can't ever go stable on arches without dev-lang/rust available upstream (some need arch work to get it going with upstream rust supporting the architecture).
(In reply to Mart Raudsepp from comment #2) > Is 2.40.21 vulnerable or not? It included some important fixes for the > non-rust version. > Anything 2.41 and above can't ever go stable on arches without dev-lang/rust > available upstream (some need arch work to get it going with upstream rust > supporting the architecture). This doesn't reference it: https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/NEWS#L1 But yes, the patched code is in there! https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/rsvg-base-file-util.c#L95 and so on in various commits like: https://github.com/GNOME/librsvg/commit/e9fef9c950e456b0535418f947a2d833a574414f So yes, we're fine. Thank you!
GLSA Vote: No Thank you all for you work. Closing as [noglsa].
