Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 650902 (CVE-2018-1000041)

Summary: <gnome-base/librsvg-2.40.21: Information disclosure vulnerability in rsvg-io.c (CVE-2018-1000041)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome, viklevin2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 15:03:41 UTC 
CVE-2018-1000041 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000041):
  GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea
  contains a Improper input validation vulnerability in rsvg-io.c that can
  result in the victim's Windows username and NTLM password hash being leaked
  to remote attackers through SMB. This attack appear to be exploitable via
  The victim must process a specially crafted SVG file containing an UNC path
  on Windows.


@Maintainers please let us know the best way to handle this.

Thank you
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 17:46:06 UTC 
Patch: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea

This is included in 2.41.2.

@maintainer(s), please create an appropriate ebuild, and call for stabilization when ready.
Comment 2 Mart Raudsepp gentoo-dev 2020-03-28 08:26:49 UTC 
Is 2.40.21 vulnerable or not? It included some important fixes for the non-rust version.
Anything 2.41 and above can't ever go stable on arches without dev-lang/rust available upstream (some need arch work to get it going with upstream rust supporting the architecture).
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-30 15:46:18 UTC 
(In reply to Mart Raudsepp from comment #2)
> Is 2.40.21 vulnerable or not? It included some important fixes for the
> non-rust version.
> Anything 2.41 and above can't ever go stable on arches without dev-lang/rust
> available upstream (some need arch work to get it going with upstream rust
> supporting the architecture).

This doesn't reference it: https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/NEWS#L1

But yes, the patched code is in there!

https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/rsvg-base-file-util.c#L95

and so on in various commits like:
https://github.com/GNOME/librsvg/commit/e9fef9c950e456b0535418f947a2d833a574414f

So yes, we're fine. Thank you!
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 06:59:39 UTC 
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].