Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 447804 (CVE-2012-5656) - <media-gfx/inkscape-0.48.4: XXE via SVG rasterization (CVE-2012-5656)
Summary: <media-gfx/inkscape-0.48.4: XXE via SVG rasterization (CVE-2012-5656)
Status: RESOLVED FIXED
Alias: CVE-2012-5656
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-19 11:02 UTC by Agostino Sarubbo
Modified: 2013-01-02 18:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-12-19 11:02:09 UTC 
From $URL :

An XML eXternal Entity (XXE) flaw was found in the way Inkscape, a vector-based drawing program 
using SVG as its native file format performed rasterization of certain SVG images. A remote 
attacker could provide a specially-crafted SVG image that, when opened in inkscape would lead to 
arbitrary local file disclosure or denial of service.

References:
[1] https://bugs.launchpad.net/inkscape/+bug/1025185
[2] http://www.openwall.com/lists/oss-security/2012/12/17/6
[3] https://bugzilla.novell.com/show_bug.cgi?id=794958

Reproducer:
[4] https://bugs.launchpad.net/inkscape/+bug/1025185/comments/1
Comment 1 Tim Harder gentoo-dev 2012-12-19 22:58:26 UTC 
Feel free to stabilize 0.48.4 which should contain a fix for the issue.
Comment 2 Agostino Sarubbo gentoo-dev 2012-12-20 19:03:59 UTC 
Arches, please test and mark stable:
=media-gfx/inkscape-0.48.4
Target keywords : "amd64 hppa ppc ppc64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-12-20 19:36:20 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-22 15:21:14 UTC 
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-23 19:30:35 UTC 
ppc64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-24 04:10:48 UTC 
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2012-12-27 17:24:55 UTC 
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-27 17:25:32 UTC 
Vulnerable version removed, please vote
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-29 15:08:03 UTC 
GLSA vote: no.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2013-01-02 18:34:14 UTC 
GLSA Vote: no, too. Closing noglsa.