Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 710978 (CVE-2019-20446)

Summary: <gnome-base/librsvg-2.40.21: Resource exhaustion via crafted SVG file with nested patterns (CVE-2019-20446)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gitlab.gnome.org/GNOME/librsvg/issues/515
Whiteboard: B3 [noglsa cve]
Package list:
gnome-base/librsvg-2.40.21
 Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-27 18:19:38 UTC 
CVE-2019-20446 (https://nvd.nist.gov/vuln/detail/CVE-2019-20446):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2020-02-27 18:20:40 UTC 
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
Comment 2 Agostino Sarubbo gentoo-dev 2020-02-28 14:12:57 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-02-28 17:51:40 UTC 
x86 stable
Comment 4 Rolf Eike Beer archtester 2020-02-29 12:04:08 UTC 
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-02 12:34:29 UTC 
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-02 12:38:27 UTC 
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-02 12:39:49 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-02 15:23:23 UTC 
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-02 20:22:47 UTC 
hppa stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-05 12:49:54 UTC 
arm stable
Comment 11 Mart Raudsepp gentoo-dev 2020-03-17 08:36:47 UTC 
arm64 stable, cleanup done
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 20:10:49 UTC 
GLSA Vote: No

Repository is clean, all done!