Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 902491

Summary: <media-gfx/cairosvg-2.7.0: fetches arbitrary resources from SVG files by default
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 902493    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-03-21 05:36:09 UTC 
+Version 2.7.0 released on 2023-03-20
+====================================
+
+**WARNING:** this is a security update.
+
+When processing SVG files, CairoSVG could access other files online, possibly
+leading to very long renderings or other security problems.
+
+This feature is now disabled by default. External resources can still be
+accessed using the "unsafe" or the "url_fetcher" parameter.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-03-22 06:23:06 UTC 
cleanup done.