Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 447804 (CVE-2012-5656) - <media-gfx/inkscape-0.48.4: XXE via SVG rasterization (CVE-2012-5656)
Summary: <media-gfx/inkscape-0.48.4: XXE via SVG rasterization (CVE-2012-5656)
Alias: CVE-2012-5656
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2012-12-19 11:02 UTC by Agostino Sarubbo
Modified: 2013-01-02 18:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-12-19 11:02:09 UTC
From $URL :

An XML eXternal Entity (XXE) flaw was found in the way Inkscape, a vector-based drawing program 
using SVG as its native file format performed rasterization of certain SVG images. A remote 
attacker could provide a specially-crafted SVG image that, when opened in inkscape would lead to 
arbitrary local file disclosure or denial of service.


Comment 1 Tim Harder gentoo-dev 2012-12-19 22:58:26 UTC
Feel free to stabilize 0.48.4 which should contain a fix for the issue.
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-20 19:03:59 UTC
Arches, please test and mark stable:
Target keywords : "amd64 hppa ppc ppc64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-12-20 19:36:20 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-22 15:21:14 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-23 19:30:35 UTC
ppc64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-24 04:10:48 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-27 17:24:55 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-27 17:25:32 UTC
Vulnerable version removed, please vote
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-29 15:08:03 UTC
GLSA vote: no.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2013-01-02 18:34:14 UTC
GLSA Vote: no, too. Closing noglsa.