Summary: | <gnome-base/librsvg-2.40.21: Information disclosure vulnerability in rsvg-io.c (CVE-2018-1000041) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gnome, viklevin2 |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2018-03-19 15:03:41 UTC
Patch: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea This is included in 2.41.2. @maintainer(s), please create an appropriate ebuild, and call for stabilization when ready. Is 2.40.21 vulnerable or not? It included some important fixes for the non-rust version. Anything 2.41 and above can't ever go stable on arches without dev-lang/rust available upstream (some need arch work to get it going with upstream rust supporting the architecture). (In reply to Mart Raudsepp from comment #2) > Is 2.40.21 vulnerable or not? It included some important fixes for the > non-rust version. > Anything 2.41 and above can't ever go stable on arches without dev-lang/rust > available upstream (some need arch work to get it going with upstream rust > supporting the architecture). This doesn't reference it: https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/NEWS#L1 But yes, the patched code is in there! https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/rsvg-base-file-util.c#L95 and so on in various commits like: https://github.com/GNOME/librsvg/commit/e9fef9c950e456b0535418f947a2d833a574414f So yes, we're fine. Thank you! GLSA Vote: No Thank you all for you work. Closing as [noglsa]. |